Back to Intelligence

UAC-0247 Infostealer Campaign: Chromium and WhatsApp Data Theft Detection

SA
Security Arsenal Team
April 16, 2026
6 min read

Between March and April 2026, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed an active cyber campaign orchestrated by the threat actor UAC-0247. This operation aggressively targeted critical infrastructure, specifically municipal healthcare facilities—including emergency hospitals and clinics—and government entities.

The objective of this campaign is precise and dangerous: the theft of sensitive communications and authentication data. The malware deployed in this campaign is designed specifically to exfiltrate data from Chromium-based browsers (Google Chrome, Microsoft Edge, Brave, etc.) and WhatsApp desktop instances. For defenders, the risk is immediate. Compromise of browser data (cookies, saved passwords, history) and WhatsApp logs provides attackers with valid credentials, session hijacking capabilities, and access to sensitive internal communications, facilitating lateral movement and espionage.

This post provides a technical breakdown of the threat TTPs and actionable detection logic to hunt for this infostealer activity within your environment.

Technical Analysis

Threat Actor: UAC-0247 Target Sector: Government, Healthcare (Hospitals, Clinics) Geographic Focus: Ukraine Timeline: March 2026 – April 2026 (Active)

Attack Chain and Mechanics

Based on the indicators provided by CERT-UA, UAC-0247 utilizes an infostealer variant tailored to harvest specific data repositories on Windows endpoints. The attack typically follows this sequence:

  1. Initial Access: While the specific vector (e.g., phishing vs. exploit) was not detailed in the report, targeting of clinics often suggests spear-phishing with malicious attachments or links.
  2. Execution: The malware executes on the victim's workstation, likely running with user privileges.
  3. Data Targeting (The Core TTP): The malware searches for and accesses the following unencrypted or decryptable databases:
    • Chromium Browsers: It targets Login Data (for stored credentials) and Cookies files located in the user's AppData directory (e.g., %LocalAppData%\Google\Chrome\User Data\Default\).
    • WhatsApp Desktop: It targets the decryption keys and message databases (e.g., msgstore.db, key) to reconstruct chat histories.
  4. Exfiltration: The harvested data is compressed and transmitted to a C2 server controlled by the actors.

Exploitation Status: Confirmed Active Exploitation (in-the-wild).

Detection Logic: The Strategy

Infostealers are notoriously noisy because they must interact with the filesystem to read specific files that legitimate applications (browsers/WhatsApp) also touch. However, the key differentiator is process lineage. Legitimate browsers read their own Login Data files. An infostealer (e.g., a PowerShell script, a suspicious executable, or an Office macro) reading these files is a high-fidelity anomaly.

Our detection strategy focuses on identifying unauthorized processes accessing the SQLite databases used by Chromium and WhatsApp.

Detection & Response

SIGMA Rules

YAML
---
title: UAC-0247 Chromium Browser Data Theft
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects unauthorized processes accessing Chromium 'Login Data' or 'Cookies' files, indicative of infostealer activity like UAC-0247.
references:
  - https://cert.gov.ua/article/6103351
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Google\Chrome\User Data\Default\History'
      - '\Microsoft\Edge\User Data\Default\Login Data'
      - '\Microsoft\Edge\User Data\Default\Cookies'
  filter_legitimate_browser:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\brave.exe'
  condition: selection and not filter_legitimate_browser
falsepositives:
  - Legacy backup software accessing profile folders
  - Rare legitimate password managers importing browser data
level: high
---
title: UAC-0247 WhatsApp Database Access
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects non-WhatsApp processes accessing the WhatsApp message store or key files, associated with UAC-0247 targeting.
references:
  - https://cert.gov.ua/article/6103351
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack-t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\WhatsApp\Databases\msgstore.db'
      - '\WhatsApp\Databases\wa.db'
      - '\WhatsApp\key'
  filter_legitimate_app:
    Image|endswith: '\WhatsApp.exe'
  condition: selection and not filter_legitimate_app
falsepositives:
  - Manual backup of WhatsApp folder by user
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for UAC-0247 Infostealer Activity
// Detects non-browser processes accessing Chromium Login Data or Cookies
DeviceFileEvents
| where Timestamp >= ago(30d)
| where FolderPath has @"Google\Chrome\User Data\Default" 
   or FolderPath has @"Microsoft\Edge\User Data\Default"
| where FileName in ("Login Data", "Cookies", "History")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "brave.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, 
          InitiatingProcessCommandLine, FileName, FolderPath, ActionType
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes with open handles to Chromium Login Data or Cookies
-- Excluding the browser processes themselves reduces noise significantly.
SELECT 
  Sys.EventTime as EventTime,
  Process.Name as ProcessName,
  Process.Pid as Pid,
  Process.Exe as ProcessPath,
  Handle.Name as AccessedFile
FROM process_open_handles()
WHERE 
  ( 
    AccessedFile =~ "Login Data" OR 
    AccessedFile =~ "Cookies" 
  )
  AND NOT Process.Name =~ "chrome.exe"
  AND NOT Process.Name =~ "msedge.exe"
  AND NOT Process.Name =~ "brave.exe"
GROUP BY ProcessName, ProcessPath

Remediation Script (PowerShell)

This script audits the Access Control Lists (ACLs) on sensitive browser data directories to ensure that only the user and SYSTEM have access, reducing the ability of malware running in other contexts to read the files.

PowerShell
# UAC-0247 Hardening Script: Audit Chromium User Data Permissions
# Requires Administrator Privileges

$ErrorActionPreference = "SilentlyContinue"
$AuditReport = @()

# Get all user profiles
$Profiles = Get-ChildItem "C:\Users" -Directory

foreach ($Profile in $Profiles) {
    $ChromePath = Join-Path -Path $Profile.FullName -ChildPath "AppData\Local\Google\Chrome\User Data"
    $EdgePath = Join-Path -Path $Profile.FullName -ChildPath "AppData\Local\Microsoft\Edge\User Data"

    $PathsToAudit = @($ChromePath, $EdgePath)

    foreach ($Path in $PathsToAudit) {
        if (Test-Path $Path) {
            $Acl = Get-Acl $Path
            
            # Check for unexpected access (Generic read/write/modify)
            # Expected: BUILTIN\Administrators, NT AUTHORITY\SYSTEM, The User Himself
            $SuspiciousAccess = $Acl.Access | Where-Object { 
                $_.IdentityReference.Value -notin @("BUILTIN\Administrators", "NT AUTHORITY\SYSTEM", $Profile.Name) `n                -and $_.FileSystemRights -match "Read"
            }

            if ($SuspiciousAccess) {
                $AuditReport += [PSCustomObject]@{
                    User = $Profile.Name
                    Path = $Path
                    Status = "VULNERABLE"
                    Issue = "Excessive permissions detected for non-owner accounts."
                }
            }
            else {
                Write-Host "[OK] Permissions are tight for: $($Profile.Name)" -ForegroundColor Green
            }
        }
    }
}

if ($AuditReport.Count -gt 0) {
    Write-Host "CRITICAL: Vulnerable permissions found." -ForegroundColor Red
    $AuditReport | Format-Table -AutoSize
}
else {
    Write-Host "Audit Complete. No excessive permissions found on Chromium User Data folders." -ForegroundColor Cyan
}

Remediation

  1. Isolate Compromised Systems: Immediately isolate endpoints exhibiting the TTPs (non-browser processes accessing Login Data) from the network to prevent further exfiltration.
  2. Credential Reset: Assume all saved credentials in browsers on affected systems are compromised. Force a password reset for all accounts accessed from the infected machine, prioritizing email, VPN, and administrative accounts.
  3. Session Termination: Revoke active OAuth sessions and tokens for web applications. Since cookies are stolen, simply changing passwords may not be sufficient if the attacker possesses valid session cookies.
  4. Application Hardening:
    • Enforce Macro Signing and disable macros for users who do not require them.
    • Implement ASR Rules (Attack Surface Reduction) specifically "Block Adobe Reader from creating child processes" and "Block Office applications from creating child processes" to hinder common delivery vectors.
  5. Browser Hygiene: Deploy enterprise policies to discourage or disable password saving in browsers for high-privilege accounts. Consider using dedicated enterprise password managers instead.
  6. Patch and Update: Ensure all Windows endpoints are fully patched, although this specific threat relies on user interaction/data theft rather than a specific OS vulnerability exploitation.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachuac-0247infostealerchromium

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action