Ukraine’s Computer Emergency Response Team (CERT-UA) has disclosed a sophisticated malware campaign targeting government institutions and municipal healthcare organizations across Eastern Europe. The campaign, uncovered in April 2026, leverages customized infostealer malware capable of harvesting credentials from Chromium-based browsers and exfiltrating data from WhatsApp, signaling a deliberate focus on both official communications and personal messaging platforms.
Campaign Overview: Targeting the Public Sector and Healthcare
According to CERT-UA’s disclosure, the campaign has been actively targeting a specific combination of victim types: government bodies at various administrative levels, as well as municipal healthcare institutions including clinics and emergency hospitals. This targeting pattern suggests the threat actor is interested in acquiring a broad picture of government operations combined with sensitive health data — a combination valuable for intelligence gathering, blackmail, and strategic disruption.
The dual targeting of government and healthcare institutions in Eastern Europe is consistent with the operational priorities of several known state-sponsored threat actors, though CERT-UA has not officially attributed this specific campaign to a named group at this time.
Malware Capabilities: Browsers and Messaging Apps in the Crosshairs
The malware deployed in this campaign is primarily designed for credential and data theft rather than destructive operations. Its core capabilities include:
- Chromium-based browser credential theft: The malware targets saved passwords, cookies, and session tokens stored by browsers including Google Chrome, Microsoft Edge, Brave, and other Chromium derivatives. These credentials can be used to bypass multi-factor authentication when valid session cookies are stolen.
- WhatsApp data exfiltration: The malware accesses and exfiltrates WhatsApp Desktop databases, including message histories and contact information. This capability is particularly concerning for government officials who may use WhatsApp for informal or sensitive communications.
- Persistence mechanisms: The malware establishes persistence on infected systems to survive reboots, enabling extended access to victim environments.
- Selective data staging: Rather than bulk exfiltration, the malware appears to selectively target high-value files and credentials, suggesting careful operator oversight.
Delivery and Initial Access
While CERT-UA has not published full technical indicators of compromise for this campaign, previous campaigns targeting similar victim profiles in the region have relied heavily on:
- Spear-phishing emails with malicious document attachments impersonating government communications
- Trojanized software or document templates distributed via compromised internal networks or third-party file-sharing platforms
- Exploitation of vulnerabilities in email clients and browser plugins commonly used by government employees
Organizations in the affected sectors should treat any unexpected or unusual email attachments — especially those purporting to come from government agencies, healthcare bodies, or law enforcement — with extreme caution.
Why WhatsApp Is a Critical Intelligence Target
The explicit targeting of WhatsApp data is a notable feature of this campaign. While WhatsApp’s end-to-end encryption protects messages in transit, the desktop application stores decrypted message databases locally on Windows systems. An attacker with access to the local filesystem can read these databases directly without needing to break the encryption.
For government officials and healthcare administrators who use WhatsApp for informal coordination — a common practice, particularly in regions where formal communication channels may be slow or overburdened — this represents a serious operational security risk. Sensitive decisions, contacts, and discussions may all be exposed.
Geopolitical Context
CERT-UA has been consistently active in disclosing cyber threats targeting Ukrainian and Eastern European organizations throughout 2025 and 2026, with attacks attributed to or consistent with Russian state-sponsored actors such as APT28 (Fancy Bear), Sandworm, and UAC-0010. The targeting of government and healthcare institutions aligns with established patterns of intelligence collection and infrastructure disruption associated with these groups.
However, it is important to note that CERT-UA’s April 2026 disclosure does not include an official attribution, and security researchers are urged to avoid premature conclusions pending further analysis.
Recommended Defensive Actions
Affected organizations — and all Eastern European government and healthcare institutions — should take the following steps immediately:
- Audit browser credential stores: Force password resets and revoke active sessions for all government and healthcare accounts. Deploy hardware MFA wherever possible.
- Restrict messaging apps: Consider prohibiting WhatsApp Desktop on government-issued machines, or implementing application whitelisting policies.
- Deploy advanced endpoint protection: Ensure all government and healthcare endpoints run up-to-date EDR solutions with behavioral detection capabilities.
- User awareness training: Immediately brief staff on spear-phishing risks, particularly around attachments from seemingly official sources.
- Review CERT-UA IoCs: Obtain and integrate the latest indicators of compromise published by CERT-UA into your SIEM and threat intelligence platforms.
CERT-UA continues to investigate the full scope of this campaign. Organizations that believe they may have been targeted are encouraged to contact CERT-UA directly and to preserve forensic evidence for analysis.