## AgingFly Malware Targets Ukrainian Hospitals and Government in Espionage Campaign Hackers have targeted Ukrainian hospitals and local government bodies in a new espionage campaign using a malware tool dubbed **AgingFly**, researchers say. **CERT-UA** reported that the activity was carried out by a group tracked as UAC-0247, which launched multiple attacks over the past two months against municipal authorities, clinical hospitals, and emergency medical services. The hackers attempted to steal sensitive data and, in some cases, exploit compromised systems to mine cryptocurrency, **CERT-UA** said. ### Phishing Attacks and Malicious Payloads The attacks typically began with phishing emails posing as discussions about proposals for humanitarian aid. Victims were asked to follow a link that led to the download of a malicious archive file. To make the messages more convincing, attackers sometimes created websites for fake organizations – potentially generated using artificial intelligence – or embedded malicious scripts in otherwise legitimate websites. Once opened, the archive installed multiple pieces of malware, including **AgingFly**, **SilentLoop**, **ChromeElevator**, and **ZapixDesk**. ### AgingFly's Capabilities **CERT-UA** said **AgingFly** allows attackers to remotely control an infected computer, enabling them to execute commands, download files, capture screenshots, record keystrokes, and run arbitrary code. Another tool, **SilentLoop**, can execute commands and retrieve the current address of the attackers’ command-and-control server via a **Telegram** channel. The attackers also attempted to extract authentication credentials and other sensitive information from internet browsers using **ChromeElevator**, or from **WhatsApp** accounts using a tool called **ZapixDesk**. In one case, investigators detected the use of **XMRig**, a legitimate cryptocurrency mining tool, suggesting attackers may have used victims’ computing resources to generate digital currency. ### Targeting Defense Forces **CERT-UA** also warned that members of Ukraine’s Defense Forces could be targeted through similar tactics. In March, the agency received reports that attackers had distributed what they claimed was an updated software package for drone operators via the **Signal** messaging app. The archive file instead contained malware that installed **AgingFly**. ### APT28 Activity Earlier this week, **Reuters** reported that in a separate incident, Russia-linked hackers broke into more than 170 email accounts belonging to prosecutors and investigators in Ukraine, as well as targets in neighboring **NATO** countries and the Balkans. Cyber researchers at **Ctrl-Alt-Intel** attributed that campaign to the group known as **APT28**, also referred to as **Fancy Bear**, **BlueDelta** or **Forest Blizzard**. Researchers said the hackers likely targeted Ukrainian law enforcement either to monitor investigations into Russian espionage activity or to gather potentially sensitive information about senior officials in Kyiv. [](https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record)