Full Report
A new malware family named 'AgingFly' has been identified in attacks against local governments and hospitals that steal authentication data from Chromium-based browsers and WhatsApp messenger. [...]
Analysis Summary
# Tool/Technique: AgingFly
## Overview
AgingFly is a sophisticated C# (.NET) malware family used in targeted cyber-espionage campaigns against Ukrainian local governments, hospitals, and defense forces. Its primary purpose is the exfiltration of authentication data and sensitive communication from browsers and messaging applications. It is notable for its modular architecture, where command handlers are compiled on-the-fly on the victim's machine.
## Technical Details
- **Type**: Malware family (Info-stealer / Remote Access Trojan)
- **Platform**: Windows
- **Capabilities**: Remote control, dynamic code compilation, credential theft, lateral movement.
- **First Seen**: March 2026 (Reported April 2026)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Humanitarian aid lure)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1059.007 - Command and Scripting Interpreter: JavaScript/VBScript (via HTA)
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job: Scheduled Task
- **TA0005 - Defense Evasion**
- T1027.004 - Obfuscation: Compile After Delivery
- T1055 - Process Injection
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers
- T1539 - Steal Web Session Cookie
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1056.001 - Input Capture: Keylogging
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (WebSockets)
- T1102.002 - Web Service: Bidirectional Communication (Telegram for C2 updates)
- T1572 - Protocol Tunneling (Chisel/Ligolo-ng)
## Functionality
### Core Capabilities
- **Browser Data Theft**: Utilizes **ChromElevator** to extract passwords and cookies from Chromium-based browsers without admin privileges.
- **Messenger Exfiltration**: Uses the **ZAPiDESK** forensic tool to decrypt and steal WhatsApp for Windows databases.
- **Command Execution**: Provides a remote shell for arbitrary Windows command execution via PowerShell (SILENTLOOP).
- **Communication**: Uses WebSockets for C2, encrypted via AES-CBC with static keys.
### Advanced Features
- **Dynamic Compilation**: Unlike typical malware, AgingFly does not contain pre-built command handlers. It retrieves handlers as **source code** from the C2 and compiles them at runtime on the host.
- **Multi-Stage Loading**: Employs a complex chain involving LNK files, HTA handlers, and two-stage loaders (using RAVENSHELL) before the final payload.
- **Dead Drop Resolvers**: Uses Telegram channels as a fallback mechanism to update C2 addresses.
## Indicators of Compromise
*Note: Indicators are based on typical patterns provided in the CERT-UA reporting.*
- **File Names**:
- `AgingFly.exe` (or variant names)
- SILENTLOOP (PowerShell script)
- **Network Indicators (Defanged)**:
- Telegram channels (used for C2 updates)
- C2 communication via WebSockets
- `[C2_Host]:[Port]` (Commonly uses high-number TCP ports for RAVENSHELL)
- **Behavioral Indicators**:
- `mshta.exe` connecting to external URLs.
- Unexpected use of `csc.exe` (C# Compiler) on workstations.
- Process injection into legitimate Windows processes.
## Associated Threat Actors
- **UAC-0247**: A cyber threat cluster identified by CERT-UA.
## Detection Methods
- **Signature-based detection**: Monitor for known hashes of ChromElevator, ZAPiDESK, Chisel, and Ligolo-ng.
- **Behavioral detection**:
- Detect `mshta.exe` launching from email attachments or LNK files.
- Alert on unauthorized outbound WebSocket connections from unusual processes.
- Monitor for the execution of the C# compiler (`csc.exe`) by non-developer users.
- **YARA rules**: Focus on the specific SILENTLOOP PowerShell logic and the AgingFly WebSocket implementation.
## Mitigation Strategies
- **Attack Surface Reduction**: Block the execution of `.extension` types such as `.lnk`, `.hta`, and `.js` originating from email or internet sources.
- **Hardening**: Use AppLocker or Windows Defender Application Control (WDAC) to restrict the execution of unauthorized binaries and scripts.
- **Network Filtering**: Implement strict egress filtering, specifically blocking access to known tunneling tool protocols and anonymized communication platforms if not required for business.
- **Email Security**: Enhance scrutiny on emails related to "humanitarian aid" or government-related lures.
## Related Tools/Techniques
- **ChromElevator**: Open-source tool for Chromium credential theft.
- **ZAPiDESK**: Open-source WhatsApp forensic utility.
- **RAVENSHELL**: TCP reverse shell stager.
- **Chisel / Ligolo-ng**: Network tunneling utilities commonly used for lateral movement.
- **RustScan**: High-speed port scanner.