AgingFly the threat that comes by mail is made up in real time from the C2 and points to local governments and hospitals

Ukraine's incident response teams recently identified a new malware family that have baptized as AgingFly, deployed in campaigns directed against local authorities and health centres. According to the public report of CERT-UA, intrusions not only sought institutional information: forensic evidence suggests that there were also attempts to engage personnel associated with the Defence Forces.

The entry point is classic but effective: an email message that simulates a humanitarian aid offer and includes a link for "more information." This link can lead to a legitimate site that was previously violated by cross-site scribing (XSS) or a fake page created by artificial intelligence tools. The aim is to induce the user to download a compressed file containing a direct access (LNK) that, when activated, invokes the Windows-integrated HTA handler.

The HTA file is downloaded and run from a remote resource, displays a distraction form to avoid raising suspicions and creates a scheduled task whose purpose is to recover and launch an executable. This EXE injects shellcode in a legitimate process and gives way to a two-stage charger: the second phase uses a custom executable format and the final payload arrives compressed and encrypted.

To establish communication with their operators, attackers have used "staging" techniques: TCP-based reverse shell stackers (CERT-UA mentions RAVENSHELL equivalents) and an encrypted channel with XOR to a command and control server (C2) to run commands through the Windows command interpreter. In addition, operators use a PowerShell script called SILENTLOOP that controls the execution of orders, updates configurations and obtains the C2 address from a Telegram channel or by booking mechanisms.

The final load, AgingFly, is written in C # and provides remote control, command execution, file exfiltration, screen capture, key log and the ability to run arbitrary code. A relevant particularity is that malware does not store its command handlers internally: instead of including them, it recovers them as source code from the C2 server and compiles them to the victim machine in running time. As the CERT-UA This strategy reduces the size of the initial payload and allows the attackers to modify or expand functionalities on demand, although at the cost of depending on the connectivity to the C2 and increasing the footprint in time of execution.

In several of the analyzed intrusions, the responsible also removed credentials and navigation data. They took advantage of open source forensic tools that could extract and decipher information stored by Chromium-based browsers, such as cookies and saved passwords, without administrative privileges. Similarly, they tried to recover data from the WhatsApp application for Windows through utilities that allow you to decipher your local databases.

The actor behind these operations was not limited to the theft of credentials: he carried out reconnaissance and lateral movement activities within the committed networks. For these phases it used well-known public tools in the community, including port scanners and tunneling solutions that facilitate access and reshipment of traffic to servers outside the target network. Public repositories such as RustScan, ligolo-ng and gossip are examples of projects that, although legitimate, can be used for these purposes in the hands of malicious actors.

CERT-UA has attributed these campaigns to a cluster of threats that they record as UAC-0247 and has published technical indications and mitigation. These include an explicit recommendation to block the execution of LNK, HTA and JS files as a measure to interrupt the attack chain used by these operators.

Beyond blocking file types, there are practical measures that reduce risk: activate multifactor authentication in all accounts, rotate exposed passwords, limit local privileges, review and restrict programmed tasks, monitor unusual outgoing connections and use EDR solutions that detect process injections or dynamic compilations. Organizations should also strengthen e-mail hygiene with link and sandboxing filtering, and maintain awareness-raising programmes for staff to identify signs as help offers or unexpected compressed files.

If you are looking for references to deepen, you can read the CERT-UA technical notice where indicators and tactics are detailed: CERT-UA: AgingFly report. For mitigation guides and applicable rules in Windows environments it is appropriate to review Microsoft's documentation on attack surface reduction and ASR rules, which allow to block the execution of dangerous file types: Microsoft Defender - Attack Surface Reduction. And for best practices against phishing, the CISA agency maintains practical recommendations and training resources: CISA - Safety Tips and alerts.

The case of AgingFly recalls two important lessons: the first, that many chains of intrusion begin with very simple social engineering techniques; the second, that legitimate open source developments and management tools can be reused by attackers for purposes of espionage or sabotage. In this context, the combination of technical controls, continuous visibility and staff training remains the most effective defence for organizations with sensitive profiles such as local governments and hospitals.