AgingFly
AgingFly is a C# malware family and core remote access tool used in an espionage campaign attributed by CERT-UA to threat cluster UAC-0247. The campaign targeted Ukrainian local governments, municipal authorities, hospitals, healthcare providers, emergency medical services, and in some reported cases representatives of Ukraine’s Defense Forces and FPV drone operators. Initial access was delivered through phishing emails themed as humanitarian aid offers or via trojanized software archives distributed over Signal, with delivery chains involving malicious archives, LNK files, HTA execution, scheduled tasks, shellcode injection, and DLL side-loading.
AgingFly provides remote control of infected Windows systems. Reported capabilities include command execution, downloading files, capturing screenshots, recording keystrokes, running arbitrary code or additional payloads, and stealing data from Chromium-based browsers and WhatsApp for Windows when used alongside related tooling. CERT-UA reported that AgingFly communicates with its command-and-control server over WebSockets, with traffic encrypted using AES-CBC and a static key. A notable characteristic is that it does not embed command handlers locally; instead, it retrieves handler source code from the C2 server and dynamically compiles it at runtime on the victim host.
The malware was observed alongside SILENTLOOP, a PowerShell persistence component that can execute commands, update configuration, and retrieve C2 server information from Telegram with fallback mechanisms, as well as ChromeElevator/ChromElevator for browser credential theft and ZapixDesk/ZAPiXDESK for WhatsApp data theft. In the broader intrusion set, operators also used RustScan for reconnaissance, Ligolo-NG and Chisel for tunneling, and in at least one case XMRig for cryptocurrency mining on compromised systems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Hackers have targeted Ukrainian hospitals and local government bodies in a new espionage campaign using a malware tool dubbed AgingFly, researchers say.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesMalicious emails masquerading as offers for humanitarian assistance have been sent by UAC-0247 to lure recipients into clicking an embedded link that diverts to either a breached website or an AI-generated site, where an LNK file-containing archive is downloaded, according to CERT-UA.
Execution
7 techniquesFor persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.
Running the LNK triggers an HTA file that shows a decoy form while establishing a scheduled task that executes a shellcode-injecting EXE payload.
A distinguishing feature of AGINGFLY compared to similar malware is the absence of built-in command handlers in its code. Instead, they are retrieved from the C2 server as source code and dynamically compiled at runtime.
For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.
A TCP connection encrypted using the XOR cipher is established to the C2 server for executing commands via the Command Prompt in Windows.
Running the LNK triggers an HTA file that shows a decoy form while establishing a scheduled task that executes a shellcode-injecting EXE payload.
Persistence
2 techniquesFor persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.
Privilege Escalation
3 techniquesFor persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.
Running the LNK triggers an HTA file that shows a decoy form while establishing a scheduled task that executes a shellcode-injecting EXE payload.
Stealth
4 techniquesUnlike typical malware, it doesn’t store command functions locally, instead, it downloads them from the server and compiles them on the fly, making it more flexible and harder to detect.
downloads and runs an EXE payload that injects shellcode into a legitimate process
... підвантаження якої ... із застосуванням механізму DLL side-loading ...
It provides the attacker with a full set of remote control capabilities, including command execution, file downloading, screenshot capture, keylogger activation, and in-memory code execution.
Credential Access
2 techniquesIt provides the attacker with a full set of remote control capabilities, including command execution, file downloading, screenshot capture, keylogger activation
Threat actors then proceed to launch a two-stage loader, eventually resulting in the deployment of the C#-based AgingFly malware, which is used alongside open-source security tools to steal Chromium browser-stored data and WhatsApp for Windows information.
Collection
4 techniquesThe hackers attempted to steal sensitive data and, in some cases, exploit compromised systems to mine cryptocurrency, CERT-UA said.
It provides the attacker with a full set of remote control capabilities, including command execution, file downloading, screenshot capture, keylogger activation
CERT-UA said AgingFly allows attackers to remotely control an infected computer, enabling them to execute commands, download files, capture screenshots...
distribution of malicious ZIP archives via Signal
Command and Control
4 techniquesIt communicates with its C2 server via WebSockets and encrypts the traffic using AES-CBC with a static key. | A TCP connection encrypted using the XOR cipher is established to the C2 server
A distinguishing feature of AGINGFLY compared to similar malware is the absence of built-in command handlers in its code. Instead, they are retrieved from the C2 server as source code and dynamically compiled at runtime.
The core remote access tool used across this campaign is AGINGFLY, written in the C# programming language. It provides the attacker with a full set of remote control capabilities
Communication with the C2 server runs through web sockets, and all traffic is encrypted using the AES-CBC algorithm with a static key.
Impact
1 techniqueThe hackers attempted to steal sensitive data and, in some cases, exploit compromised systems to mine cryptocurrency, CERT-UA said.
IOCs tracked for this family
87 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
AgingFly is a malware tool used in an espionage campaign targeting Ukrainian hospitals, municipal authorities, and emergency medical services. It was used to steal sensitive data and, in some cases, to exploit compromised systems for cryptocurrency mining.
C#-based stealer malware used to exfiltrate Chromium browser-stored data and WhatsApp for Windows information. A notable feature is that it lacks built-in command handlers; instead, commands are retrieved from the C2 server as source code and dynamically compiled at runtime.
A C# remote access tool used in the campaign that provides command execution, file downloading, screenshot capture, keylogging, and in-memory code execution. Its command handlers are downloaded from the C2 server as source code and compiled on the infected host. It communicates over WebSockets with AES-CBC encryption using a static key.
A C# remote access malware used for persistence and remote control. It can run commands, download files, take screenshots, log keystrokes, execute code, and communicates with its control server over encrypted web sockets using AES-CBC. It dynamically downloads command functions from the server and compiles them on the fly.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.