The campaign coming in by mshta: deception, LNK files and system tools to infiltrate hospitals in Ukraine

A new wave of intrusions that has hit public agencies and health centres - especially clinics and emergency hospitals - again shows how attackers mix traditional techniques with modern tools to steal sensitive information. This has been alerted by the Ukrainian computer emergency response team, CERT-UA which has tracked the activity between March and April 2026 and linked it to a group identified as UAC-0247.

The starting point for these intrusions is apparently an emotional hook: emails that promise humanitarian aid and contain a link. This link can lead to a legitimate website committed through a cross-site scribing (XSS) vulnerability or a false portal made with the assistance of artificial intelligence tools. The real intention, in any case, is to induce the recipient to download a direct access to Windows (LNK file) which, when activated, launches an HTML application (HTA) through the native utility mshta.exe. This running flow takes advantage of valid system features to run malicious code without raising immediate suspicion.

While the HTA window shows a form or a decoy to distract the user, in the background an executable is downloaded to inject code into a legitimate system process (e.g., runtimeBroker.exe). In some of the analyzed intrusions, a two-stage charger with a second module using an owner executable format, with support for code and data sections, import of functions and relocations, has been observed; in addition, the final payload arrives compressed and encrypted to make it difficult to detect and analyse.

The identified components include a TCP-based reverse shell known as RAVENSHELL or equivalent variants, which opens a connection to a command and control server to receive instructions and run commands by cmd.ex. Tools built in .NET have also been downloaded, such as a family with the name AGINGFLY that acts as a backdoor and communicates with its C2 by WebSockets. A PowerShell script called SILENTLOOP appears as a facilitator: it manages the execution of orders, updates settings and gets the command server address from a Telegram channel, using alternative methods in case of failure.

The final objective described by the researchers was the internal exploration of the attacked networks, the lateral movement between systems and, especially, the extraction of credentials and sensitive data stored in Chromium-based browsers and in WhatsApp Web. To achieve this, operators used several open source utilities that allow, for example, to avoid certain Chromium protections to access cookies and saved passwords, extract and decrypt local WhatsApp Web databases and develop tunnels from within the committed network to exfilter information or receive additional instructions.

Tools such as Chisel and other tunneling solutions, which have public repositories and legitimate use in administration and testing, were reused by attackers to pivote and maintain persistent communication channels. RustScan is mentioned as an example of network scanner that facilitates recognition, and in some incidents even cryptomoneda mining software was detected in the engaged teams, indicating a combination of objectives: from espionage to direct monetization of access.

Another relevant aspect of the pattern is the distribution addressed to certain collectives through encrypted messaging. CERT-UA detected malicious Signal shipments containing ZIP files prepared to deploy AGINGFLY using the technique known as side-loading from DLL, a way to trick legitimate applications into loading manipulated libraries. This evidence suggests that, in addition to civilian institutions, representatives of the Ukrainian Defence Forces may also have been targeted.

To understand the operational dimension of the threat, it is appropriate to refer to technical sources on each of the elements that appear in the attack. The abuse of legitimate profits of the system, such as mshta.exe o PowerShell, is a pattern known and documented by manufacturers and security equipment because it allows attackers to run almost invisible loads within reliable processes. The above-mentioned tunneling and scanning tools, with public projects on platforms such as GitHub, can be consulted to understand how legitimate resources are reinterpreted for malicious purposes; for example, the Chisel project is available in its official repository in GitHub and RustScan can be consulted at your repository. The presence of miners like XMRig is also easy to verify on your official website xmrig.com.

What practical lessons does this case leave? The first is that effective campaigns combine social engineering with abuse of legitimate system functionalities, which requires controls both on the perimeter and inside the network. Limit the ability to run NK shortcuts, HTA applications and JS scripts, and control the use of administration utilities such as mshta.exe, powershell.exe or wscript.exe reduces attack surfaces and forces the attacker to use more noisy or complex methods to achieve persistence. Also, monitoring unusual outgoing connections, reviewing critical process integrity and blocking unknown payloads in mail accounts and messaging applications are complementary measures.

At the organizational level, early notification and sharing of commitment indicators between security agencies and providers accelerates detection and response. Response groups such as CERT-UA publish warnings and analyses that serve to coordinate mitigation; their portal can be consulted at cert.gov.ua. And for technical and security-responsible equipment, it is recommended to review the mitigation guides and the policies for blocking the execution of unsigned files or dangerous file types, as well as to apply segmentation and minimum access controls to limit the scope of an intrusion.

In short, this campaign is a reminder that the combination of credible lures, the exploitation of legitimate websites (or of pages generated by IA) and the use of administrative tools of the system itself remains an effective formula for resource actors. The defence is to reduce the exposure windows by applying technical controls, security policies and training so that staff do not fall into the initial bait.

To expand the information with technical analysis and recommendations, in addition to consulting the official communication of CERT-UA, it is useful to review documentation and alerts on the abuse of Windows utilities and side-loading techniques published by manufacturers and response centres, as well as the pages and repositories of the above-mentioned tools.