UAC-0247 Targets Ukrainian Healthcare via Data-Theft Malware

The Computer Emergencies Response Team of Ukraine (CERT-UA) has identified a specialized APT group designated as UAC-0247. This group has shifted focus toward municipal healthcare institutions and government agencies. Between March and April, the campaign specifically focused on clinics and emergency hospitals. According to The Hacker News, the attackers utilize a data-theft malware designed to exfiltrate communications and credentials from critical civilian infrastructure.

Analyzing the UAC-0247 Targets Ukrainian Healthcare Campaign

The threat actor demonstrates a clear intent to compromise the integrity of Ukrainian emergency medical services. By focusing on municipal clinics and emergency hospitals, the attackers likely leverage the high-stress environment of healthcare providers during wartime to increase the success rate of their initial infection vectors, which often include Phishing. The activity observed in early 2026 indicates a sustained effort to harvest intelligence from civilian infrastructure that remains critical to the state’s resilience and public health operations.

Malware Capabilities and Data Exfiltration

The malware deployed by UAC-0247 is specifically engineered to target local data stored by Chromium-based web browsers. This includes Google Chrome, Microsoft Edge, and Brave. To detect Chromium browser data theft, security teams must monitor for unauthorized access to the “User Data” directories within the local AppData folder. Information-stealers typically target the Login Data and Cookies SQLite databases. Accessing these files allows an attacker to extract stored credentials and session tokens. Session token theft is particularly dangerous as it allows the adversary to bypass Zero Trust architectures and multi-factor authentication (MFA) by hijacking an active session without needing the user’s password.

Furthermore, the malware focuses on the WhatsApp desktop application. In many Ukrainian municipal services, WhatsApp is used for rapid communication between emergency responders and administrative staff. By extracting databases and session keys from the WhatsApp directory, UAC-0247 can gain access to private communications, contact lists, and shared documents. This access can reveal sensitive medical logistics, personnel movements, or government directives that could be used for further TTP development or kinetic coordination.

Impact on Government and Municipal Infrastructure

The targeting of healthcare is not merely a data breach; it represents a threat to operational security within the region. When an IoC is identified within an emergency hospital network, the subsequent SOC response must account for the potential that the attackers have already performed Lateral Movement within the internal network. The theft of browser data from government employees could lead to the compromise of secondary portals, including social services and internal administrative tools.

WhatsApp Malware Mitigation Steps and Recommendations

Defenders must adopt a proactive stance to secure workstations against these adversaries. To implement effective WhatsApp malware mitigation steps, organizations should restrict the installation of desktop messaging apps to authorized personnel and ensure that all local application data is protected via hardware-backed security modules where possible.

• Monitor for Browser Profile Access: Utilize EDR solutions to flag any process other than the browser itself attempting to read the Local State or Login Data files.
• Application Whitelisting: Prevent the execution of unverified binaries in the %TEMP% and %APPDATA% directories, which are common staging grounds for UAC-0247 payloads.
• Session Management: Reduce the lifespan of web sessions and enforce re-authentication for critical government and healthcare portals to minimize the utility of stolen session cookies.
• Network Segmentation: Isolate hospital administrative networks from medical device networks to prevent wider spread following an initial infection.

Integrating these detections into a SIEM can provide the visibility needed to identify the early stages of a data-theft campaign before the exfiltration phase is completed.