Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

RAVENSHELL

RAVENSHELL is a reverse-shell malware/stager observed by CERT-UA in a 2026 campaign tracked as UAC-0247 targeting Ukrainian local governments, municipal healthcare institutions, representatives of the Defense Forces of Ukraine, and FPV drone operators. In the documented intrusion chains, it is used during the initial access or staging phase as a TCP reverse shell analogue. RAVENSHELL establishes a TCP connection to a management or command-and-control server, encrypts traffic with a 9-byte XOR key, and executes commands on the compromised Windows host via cmd.exe/CMD. CERT-UA reporting also notes that on first connection it sends an XOR-encrypted "Connected!" message. The broader campaign used phishing themed around humanitarian aid, malicious archives containing LNK files, HTA-based execution via mshta.exe, scheduled tasks, DLL side-loading, and multi-stage loaders, with related malware and tooling including AGINGFLY and SILENTLOOP. High-confidence behavior directly attributed to RAVENSHELL in the provided content is limited to its role as a TCP reverse shell stager, XOR-encrypted TCP communications, and remote command execution through CMD.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAC-0247

The initial access stage uses either a TCP reverse shell or RAVENSHELL, which establishes an encrypted TCP connection using a 9-byte XOR key and communicates with the management server through CMD.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence2
TacticExecution

... забезпечує виконання команд ... а також виконання команд за допомогою CMD.

T1059.003Windows Command ShellEvidence5
TacticExecution

The initial access stage uses either a TCP reverse shell or RAVENSHELL, which establishes an encrypted TCP connection using a 9-byte XOR key and communicates with the management server through CMD.

Command and Control

4 techniques
T1071.001Web ProtocolsEvidence1
TacticCommand and Control

A TCP connection encrypted using the XOR cipher is established to the C2 server

T1095Non-Application Layer ProtocolEvidence2
TacticCommand and Control

The initial access stage uses either a TCP reverse shell or RAVENSHELL, which establishes an encrypted TCP connection using a 9-byte XOR key

T1105Ingress Tool TransferEvidence2
TacticCommand and Control

... HTA-файл ... забезпечує ... завантаження і запуск EXE-файлу ... На етапі подальшого закріплення в системі ... на комп’ютер довантажується програмний засіб AGINGFLY.

T1573Encrypted ChannelEvidence1
TacticCommand and Control

... RAVENSHELL ... шифрування трафіку з використанням 9-байтового XOR ... Комунікація із сервером управління ... додатково шифрується за алгоритмом AES-CBC зі статичним ключем.

INDICATORS OF COMPROMISE

IOCs tracked for this family

19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
17 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app15 days ago
hash.sha256●●●●●●●●●●●●View more in app15 days ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyber security newsNews
Apr 16, 2026
New UAC-0247 Campaign Steals Browser and WhatsApp Data From Hospitals and Governments

Initial access/backdoor tool that establishes an encrypted TCP connection using a 9-byte XOR key and communicates with the management server through CMD.

Read more
security affairsNews
Apr 16, 2026
From clinics to government: UAC-0247 expands cyber campaign across Ukraine

A TCP reverse shell used as a stager that connects back to a command server, encrypts traffic with XOR, and executes CMD commands on the victim host.

Read more
the hacker newsNews
Apr 16, 2026
UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign

A stager/backdoor that opens a TCP reverse shell to a management server and executes received commands via cmd.exe.

Read more
bleeping computerNews
Apr 15, 2026
New AgingFly malware used in attacks on Ukraine govt, hospitals

A reverse-shell style malware or tool used as a stager to establish a TCP connection with the management server during the intrusion chain.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching19

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.