UAC-0247 Malware Campaign Steals Browser and WhatsApp Data from Ukrainian Clinics and Government Agencies
What Happened — A new malware family, dubbed UAC‑0247, was observed delivering a data‑theft payload to municipal healthcare facilities and government offices across Ukraine. The malware harvests credentials, cookies, and chat histories from Chromium‑based browsers and WhatsApp, then exfiltrates the information to command‑and‑control servers.
Why It Matters for TPRM —
- Sensitive patient and governmental data can be exposed, increasing regulatory and reputational risk for third‑party service providers.
- The campaign demonstrates that health‑sector suppliers may become indirect attack vectors for nation‑state or financially motivated actors.
- Early detection relies on vendor‑level security controls (endpoint protection, network monitoring, and secure browser configurations).
Who Is Affected — Healthcare providers (clinics, emergency hospitals) and public sector entities in Ukraine.
Recommended Actions —
- Review any third‑party contracts with Ukrainian health‑care or government service providers for security clauses.
- Verify that vendors enforce hardened browser settings, MFA for WhatsApp Business accounts, and up‑to‑date endpoint protection.
- Require evidence of threat‑intel monitoring and incident‑response capabilities.
Technical Notes — The payload is delivered via a malicious installer (likely phishing‑borne) and exploits no known CVE; it focuses on credential‑stealing from Chromium profiles and WhatsApp local storage. Data types include login credentials, session cookies, and chat logs. Source: The Hacker News