New AgingFly Malware Used in Attacks on Ukraine Govt, Hospitals

The emergence of the AgingFly malware family underscores the evolving sophistication of cyber‑espionage campaigns targeting critical public‑sector infrastructure in Ukraine. First identified by CERT‑UA in May, the strain has been deployed against local government offices, hospitals and, according to forensic clues, members of the Ukrainian Defense Forces. Attackers disguise malicious links as humanitarian aid offers, leveraging compromised legitimate sites or AI‑generated phishing pages to deliver malicious LNK shortcuts. This blend of social engineering and supply‑chain abuse reflects a broader trend where threat actors exploit trust in crisis‑driven communications to gain footholds in high‑value networks.

Technically, AgingFly distinguishes itself by using a C# core that compiles command handlers on the victim host from source code fetched over a WebSocket channel encrypted with AES‑CBC and a static key. The initial payload is minimal, delivered through an HTA file that creates a scheduled task and launches a secondary EXE loader. Once active, the malware harvests authentication data from Chromium‑based browsers with the open‑source ChromElevator tool and extracts WhatsApp databases via ZAPiDESK. It also employs public utilities such as RustScan, Ligolo‑ng and Chisel for lateral movement, illustrating a hybrid approach that mixes custom code with off‑the‑shelf reconnaissance tools.

Defending against AgingFly requires a layered strategy. CERT‑UA’s immediate recommendation—to block the execution of LNK, HTA and JavaScript files—cuts the most common entry vector. Organizations should also enforce strict web‑filtering, monitor anomalous WebSocket traffic, and apply application‑allowlisting for legitimate utilities. The campaign highlights the need for continuous threat‑intel sharing, especially among sectors handling sensitive citizen data. As adversaries adopt dynamic compilation and open‑source exploitation kits, security teams must prioritize behavioral detection and rapid patching of web‑application vulnerabilities to mitigate future incursions.