AgingFly Malware Targets Ukrainian Government and Hospitals

Executive Summary

A previously undocumented malware family, named 'AgingFly' by researchers, is actively targeting Ukrainian local government bodies and hospitals in a campaign focused on credential theft. According to an analysis by the Computer Emergency Response Team of Ukraine (CERT-UA), the malware is designed to steal authentication data, including cookies and passwords, from Chromium-based web browsers and the WhatsApp desktop application. The initial infection vector is suspected to be spear-phishing emails containing malicious attachments.

Technical Analysis

AgingFly is a .NET-based infostealer delivered as a malicious executable. Once executed on a victim's system, it performs several key functions. First, it establishes persistence by creating a scheduled task named MicrosoftEdgeUpdateTaskMachineUA. It then proceeds to harvest sensitive data from the system. The primary targets are Chromium-based browsers (Google Chrome, Microsoft Edge, Opera) and the WhatsApp desktop client. The malware searches for and copies specific browser data directories, including Local\Google\Chrome\User Data\Default\Network for cookies and Local\Google\Chrome\User Data\Default\Login Data for stored credentials. For WhatsApp, it targets the AppData\Roaming\WhatsApp directory, which contains local message databases and configuration files.

The stolen data is archived into a ZIP file. AgingFly then uses the compromised system's Outlook client to exfiltrate this archive via email. It leverages the MAPI (Messaging Application Programming Interface) to send the stolen data to attacker-controlled email addresses directly from the victim's account, a technique that can help evade network-based detection by blending malicious traffic with legitimate email communication.

Tactics, Techniques & Procedures

The campaign employs a consistent set of techniques. Initial access is believed to be achieved through Spear-phishing Attachment (T1566.001). For execution, the malware uses a malicious executable. It establishes persistence via Scheduled Task (T1053.005). Credential access is performed through Credentials from Password Stores (T1555) and by stealing web browser session data via Cookie Theft (T1539). Collection involves gathering data from local system sources (T1005). Exfiltration is conducted over email using the victim's own Outlook client (T1048), specifically via the MAPI protocol.

Threat Actor Context

CERT-UA has not publicly attributed this campaign to a known threat actor group. The targeting of Ukrainian government and healthcare entities is consistent with a long-standing pattern of cyber operations against the country, often linked to Russian-aligned advanced persistent threat (APT) groups. However, without specific technical links or tactical overlaps disclosed in the available reporting, the origin and affiliation of the operators behind AgingFly remain uncertain. The focus on credential theft suggests the objective is likely intelligence gathering and potential follow-on access to government and critical healthcare systems.

Mitigations & Recommendations

Organizations, particularly in sectors like government and healthcare, should implement several defensive measures. Users should be trained to identify and report spear-phishing attempts. Application allowlisting can prevent the execution of unauthorized binaries like the AgingFly dropper. Endpoint Detection and Response (EDR) tools should be configured to monitor for the creation of suspicious scheduled tasks and unusual MAPI-based email sending activity from user workstations. For high-value accounts, consider using hardware security keys or other phishing-resistant multi-factor authentication (MFA) methods, as stolen cookies can sometimes bypass traditional MFA. Systematically review and restrict unnecessary email sending permissions for standard user accounts where possible.