A new C# malware family called AgingFly has been used in Ukraine against local governments and hospitals to steal authentication data from Chromium-based browsers and the WhatsApp Windows client. CERT-UA attributes the campaign to UAC-0247 and describes a complex LNK→HTA→scheduled-task attack chain that stages payloads, uses open-source tools like ChromElevator and ZAPiDESK to exfiltrate credentials, and dynamically compiles command handlers received from a C2 server. #AgingFly #CERT-UA
Keypoints
- AgingFly is a C# remote-access malware that steals authentication data from Chromium-based browsers and the WhatsApp Windows client.
- CERT-UA attributes the Ukraine-focused campaign to the UAC-0247 cluster, targeting local governments, hospitals, and possible Defense Forces personnel.
- Initial access is gained via phishing links to compromised or AI-generated sites that deliver an LNK file which triggers an HTA, scheduled tasks, and a staged EXE with shellcode injection.
- Operators use open-source tools such as ChromElevator and ZAPiDESK to extract cookies, saved passwords, and WhatsApp databases, and employ tunneling and scanning utilities for reconnaissance and lateral movement.
- AgingFly retrieves command source from its C2 and compiles handlers on the host, communicates over WebSockets with AES-CBC encryption, and CERT-UA recommends blocking LNK, HTA, and JS files to disrupt the attack chain.