Ukraine's CERT team has identified a new C# malware family called AgingFly, attributed to threat cluster UAC-0247, targeting local governments, hospitals, and Defense Forces. Attacks begin with phishing emails posing as humanitarian aid offers, leading victims through a multi-stage chain involving LNK files, HTA handlers, shellcode injection, and a two-stage loader. AgingFly communicates via WebSockets with AES-CBC encryption and notably lacks built-in command handlers — instead, it dynamically compiles them at runtime from source code received from the C2 server, enabling a smaller payload and evasion of static detection. The attackers also use open-source tools like ChromElevator to steal browser credentials, ZAPiDESK to extract WhatsApp data, and RustScan, Ligolo-ng, and Chisel for reconnaissance and lateral movement. CERT-UA recommends blocking LNK, HTA, and JS file execution to disrupt the attack chain.
Sort: