UAC-0247 Hits Ukrainian Government and Hospitals With AgingFly Espionage Malware
CERT-UA reported that threat cluster UAC-0247 targeted Ukrainian local governments, municipal clinics, emergency hospitals, and in some cases Defense Forces personnel with a phishing campaign delivering the newly identified AGINGFLY malware. The attacks used humanitarian-aid themed emails, compromised or fake websites, malicious archives, and LNK files that triggered mshta.exe to launch HTA payloads, scheduled tasks, and shellcode injection into legitimate processes before deploying RAVENSHELL, SILENTLOOP, and the C# backdoor AGINGFLY. Separate lures sent through Signal masqueraded as FPV drone operator software updates and used DLL side-loading to install the same malware.
The intrusions were aimed at espionage and data theft, with AGINGFLY enabling remote command execution, file exfiltration, screenshots, keylogging, and arbitrary code execution, while dynamically compiling command handlers received from command-and-control servers. CERT-UA said the operators also stole credentials from Chromium-based browsers with CHROMELEVATOR, extracted WhatsApp data with ZAPIXDESK, and used tools including RUSTSCAN, LIGOLO-NG, and CHISEL for reconnaissance, tunneling, and lateral movement; at least one incident also involved XMRIG delivered through a modified WireGuard binary, indicating cryptomining alongside espionage. The agency urged defenders to restrict execution of LNK, HTA, and JS files and limit abuse of mshta.exe, powershell.exe, and wscript.exe.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Fake 'bachu.zip' Signal lure targets Ukraine Defense personnel in March
CERT-UA observed a March lure sent via Signal that masqueraded as an updated FPV operator tool or drone software and used DLL side-loading to deploy AGINGFLY. The activity indicated UAC-0247 also targeted representatives of the Defense Forces of Ukraine.
UAC-0247 targets Ukrainian entities in March-April 2026 campaign
CERT-UA said cyberattacks intensified during March and April 2026 against Ukrainian local self-government bodies and municipal healthcare institutions, including clinics and emergency hospitals. The activity was tracked as UAC-0247 and involved phishing lures themed around humanitarian aid to deliver malware and steal data.
CERT-UA discloses AgingFly campaign and attributes it to UAC-0247
On April 15, 2026, CERT-UA reported a new espionage campaign using the AGINGFLY malware against Ukrainian hospitals, municipal authorities, emergency medical services, and other government targets. The agency described the phishing-based intrusion chain, related tools such as SILENTLOOP, and associated credential theft, reconnaissance, lateral movement, and in one case cryptomining.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Ukrainian emergency services and hospitals hit by espionage campaign using new AgingFly malware - DataBreaches.Net
databreaches.net
Open sourceAttacks with novel AgingFly malware hit Ukraine | brief | SC Media
scworld.com
Open sourceNew UAC-0247 Campaign Steals Browser and WhatsApp Data From Hospitals and Governments
cybersecuritynews.com
Open sourceFrom clinics to government: UAC-0247 expands cyber campaign across Ukraine
securityaffairs.com
Open sourceUAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign
thehackernews.com
Open sourceCERT-UA
cert.gov.ua
Open sourceNew AgingFly malware used in attacks on Ukraine govt, hospitals
bleepingcomputer.com
Open sourceUkrainian emergency services and hospitals hit by espionage campaign using new AgingFly malware | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
UAC-0184 Expands HTA Loader With Bitdefender and Plane9 Sideload Chains
Researchers reported that **UAC-0184**—also tracked as **UNC5435** and **MB-0007**—is using spearphishing **LNK** files with Ukraine- and Cyrillic-themed lures to launch a multi-stage malware chain against Ukrainian targets. The lures invoke **`bitsadmin`** and **`mshta`** to retrieve HTA payloads from disposable infrastructure hosted on **Cloudflare Pages**, **Netlify**, and novelty TLDs, then fetch **`dctrprraclus.zip`**. The HTA stager hides malicious logic behind decoy HTML padding and embedded VBScript, which starts PowerShell to decrypt an **AES-256-CBC** base64 blob using a co-located 32-byte ASCII key and a null IV, decompress the result with gzip, and reflectively load a .NET assembly; researchers said the actor's per-sample key rotation offers little protection because the key is shipped with the ciphertext. The intrusion set now includes two signed third-party sideloading paths for the same payload family. One chain abuses legitimate **Plane9** components, progressing through **`Cluster-Overlay64.exe`**, **`Plane9Engine.dll`**, **`openvr_api.dll`**, **`kernel-diag.lib`**, and a decoded **`evr.dll`** stage that extracts **`filter.bin`**, whose pseudo-PNG **IDAT** data is XOR-decoded and **LZNT1**-decompressed into a final bundle. A parallel path uses the signed **Bitdefender Endpoint Security** deployer **`bddeploy.exe`** to sideload a malicious **`deploy.dll`** via DLL search order hijacking. The final stages include signed utilities such as Microsoft-signed **`VSLauncher.exe`** and a PassMark-derived **`input.dll`** believed to provide covert networking and possible process-dump capability, while telemetry tied to **trojan.leopard/bitsuh** and multicast or TCP traffic on **port 31339** has emerged as a consistent hunting lead.
May 20, 2026
Russia-Aligned UAC-0184 Targets Ukrainian Military via Viber Phishing Campaign
The Russia-linked advanced persistent threat group UAC-0184, also known as Hive0156, has intensified its espionage operations against Ukrainian military and government entities by leveraging the Viber messaging platform as an initial attack vector. The group distributed malicious ZIP archives disguised as official documents, which contained Windows shortcut (LNK) files masquerading as Microsoft Word, Excel, and other document types. When opened, these LNK files executed a multi-stage infection chain, including the deployment of the Hijack Loader malware, which facilitated further compromise through techniques such as DLL side-loading, module stomping, and in-memory execution to evade detection. The phishing lures exploited sensitive themes, such as military personnel record changes and compensation issues, to increase the likelihood of successful compromise. The attack chain involved the use of PowerShell scripts to download additional payloads, with the malware designed to scan for and evade common security software. Persistence was established via scheduled tasks, and the campaign was observed to target high-value Ukrainian government bodies, including the Verkhovna Rada. Security researchers recommend strengthening security awareness, encryption, and access controls to mitigate the risk from such sophisticated phishing and malware delivery tactics. The campaign is expected to continue, with UAC-0184 evolving its methods and maintaining a focus on intelligence gathering against Ukrainian targets.
Mar 21, 2026
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
Apr 29, 2026