AgingFly malware hits local authorities and hospitals in Ukraine

CERT-UA links a new credential-stealing campaign to phishing, browser theft and modular remote access.

Phishing lure initial vector

Ukraine’s national cyber response team (CERT-UA) has uncovered a new malware family, dubbed AgingFly, in attacks on local government bodies and hospitals. Forensic evidence suggests some Defense Forces representatives may also have been targeted. CERT-UA tracks the activity under the UAC-0247 cluster.

According to the incident report, the campaign begins with emails disguised as offers of humanitarian aid. Recipients are then pushed toward a malicious archive delivered through either a compromised legitimate site abused via XSS or an AI-generated fake page designed to look credible.

Shortcuts, scripts and a staged payload

Once opened, the archive drops an LNK shortcut that abuses Windows’ HTA handler to fetch additional code remotely. A decoy form appears on screen while the infection chain establishes persistence through a scheduled task and launches an EXE payload that injects shellcode into a legitimate process.

CERT-UA says the operation then moves through a multi-stage loader, using encrypted communications and remote command execution. A PowerShell component known as SILENTLOOP helps run commands, update configuration data and pull command-and-control details from a Telegram channel or fallback mechanisms.

Browser and WhatsApp data in focus

The attackers appear especially interested in harvesting user data. Investigators say the cluster used ChromElevator to decrypt and extract cookies and saved passwords from Chromium-based browsers, while ZAPiDESK was leveraged to access sensitive information stored by WhatsApp for Windows.

The investigations also found signs of reconnaissance and lateral movement, including the use of RustScan, Ligolo-ng and Chisel. That combination suggests the operators are not just stealing credentials but also preparing for deeper access across compromised environments.

What makes AgingFly stand out

CERT-UA says AgingFly is a C# backdoor capable of command execution, file theft, screenshots, keylogging and arbitrary code execution. What makes it unusual is that it does not carry all of its command handlers inside the initial implant. Instead, it retrieves source code from its server and compiles those capabilities directly on the infected machine.

That design keeps the initial payload lean and flexible, while increasing operational complexity. CERT-UA’s immediate advice is to restrict the launch of LNK, HTA and JS files to disrupt the infection chain before AgingFly can fully deploy.

The importance of dedicated security software

Bitdefender Ultimate Security can help reduce the risk from threats like AgingFly by combining malware detection with anti-phishing and scam protection, potentially stopping users before they interact with the malicious links or files that launch the attack.

In campaigns centered on stolen credentials and compromised sessions, that layered approach is crucial because it can help block payloads, flag deceptive content and limit exposure if attackers go after browser-stored data.