Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AgingFly malware attacks local governments and hospitals in Ukraine

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The AgingFly malware is now being deployed against local governments and hospitals in Ukraine, where it steals browser and WhatsApp authentication data and enables deeper compromise. The payload also supports keylogging, screenshot capture, file exfiltration, and arbitrary code execution, increasing the risk of account takeover and internal access. The activity is linked to UAC-0247 and uses a phishing-led delivery chain built around LNK and HTA execution.

Related Happenings

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

LofyGang Minecraft LofyStealer campaign

Campaign
First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Open Happening

UAC-0247 phishing-led malware campaign targeting Ukrainian government and healthcare institutions

Campaign
First: 16.04.2026 09:20 Last: 16.04.2026 09:20 Sources 1

About this happening: A **March-April 2026** **UAC-0247** phishing campaign targeted **Ukrainian government** and **municipal healthcare organizations**, using **malware delivery** to steal data from *...

Open Happening

UAC-0255 CERT-UA impersonation phishing campaign

Campaign
First: 01.04.2026 19:10 Last: 01.04.2026 19:10 Sources 1

About this happening: The **UAC-0255** phishing campaign impersonated **CERT-UA** to deliver a password-protected ZIP archive and trick recipients into installing **AGEWHEEZE**. The operation ran on **...

Open Happening

AGEWHEEZE remote access trojan activity

Malware Activity
First: 01.04.2026 19:10 Last: 01.04.2026 19:10 Sources 1

About this happening: CERT-UA disclosed **AGEWHEEZE**, a **remote access trojan** delivered through a **password-protected ZIP** that enabled remote control over infected devices. The malware was sprea...

Open Happening

Timeline

  1. 16.04.2026 00:57 2 articles · 1mo ago

    CERT-UA discloses AgingFly attacks on Ukraine targets

    Initial Disclosure

    CERT-UA discloses that AgingFly is being used against local governments and hospitals in Ukraine, with possible targets also including representatives of the Defense Forces. The campaign uses a humanitarian-aid phishing email, a link to a compromised or AI-generated site, LNK and HTA execution, staged payload delivery, WebSocket-based C2, and host-side compilation of command handlers, while stealing authentication data from Chromium-based browsers and WhatsApp for Windows and being attributed to UAC-0247.

    Show sources
    Open in new tab