Listen to this Post

Introduction:
Between March and April 2026, Ukraine’s Computer Emergency Response Team (CERT-UA) uncovered a surge in attacks by a sophisticated threat cluster known as UAC-0247. These campaigns have severely impacted municipal governments and healthcare institutions, with a primary focus on clinical and emergency hospitals. The attackers deploy a novel malware family, AgingFly, which uses a unique runtime-compilation technique to harvest authentication data from Chromium-based browsers and the Windows version of WhatsApp.
Learning Objectives:
- Understand the complex, multi-stage infection chain used by UAC-0247.
- Analyze the unique technical capabilities of the AgingFly malware, including its dynamic compilation of command handlers.
- Identify key indicators of compromise (IoCs) and learn mitigation strategies, including specific Linux and Windows commands.
You Should Know:
1. Attack Chain Analysis: From Phishing to Persistence
The UAC-0247 campaign leverages highly targeted spear-phishing emails themed around humanitarian aid proposals. When a victim interacts with the email, the following sequence unfolds:
- Step 1: The user clicks a link, which redirects to either a legitimate site compromised via a cross-site scripting (XSS) flaw or a fully fake, AI-generated website.
- Step 2: The site delivers a malicious archive (e.g., ZIP or RAR).
- Step 3: The archive contains a shortcut (.LNK) file that abuses the Microsoft HTA handler. Executing the LNK file triggers `mshta.exe` to fetch and run an HTA payload from a remote server.
- Step 4: A decoy form appears to distract the user while the malware establishes persistence via a scheduled task, which then downloads and executes the final payload injector.
How to Detect This Phase (Blue Team Commands):
- Windows (Detecting Suspicious LNK & HTA Execution):
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object { $<em>.Message -match '.lnk' -or $</em>.Message -match 'mshta.exe' } | Format-List - Linux (Scheduled Task Monitoring on an SMB Share):
Check for unusual scheduled tasks on mounted Windows shares find /mnt/windows_sysvol/ -name ".job" -o -name ".xml" | xargs grep -l "RuntimeBroker"
- Deep Dive: The AgingFly Malware and Its Dynamic Capabilities
AgingFly is a C-based backdoor designed for remote control, file exfiltration, keylogging, and screen capture. Its most distinctive feature is the lack of built-in command handlers. Instead, it receives source code from its C2 server and compiles these handlers at runtime using the .NET Roslyn compiler. This makes static detection significantly harder.
- Command & Control: The malware communicates via WebSockets with AES-CBC encryption using a static key.
- Browser Data Theft: It uses an open-source tool, ChromElevator, to decrypt and extract cookies and saved passwords from Chromium browsers without admin rights.
- WhatsApp Extraction: It leverages a forensic tool, ZAPiDESK, to decrypt local WhatsApp for Windows databases.
Tutorial: Simulating Behavioral Detection (Python Example):
You can build a simple YARA rule to detect the suspicious invocation of the Roslyn compiler used by AgingFly:
rule AgingFly_Roslyn_Compilation {
strings:
$s1 = "Microsoft.CodeAnalysis.CSharp.Scripting" nocase
$s2 = "CSharpScript.Create" nocase
$s3 = "RunAsync" nocase
condition:
(uint16(0) == 0x5A4D) and (any of ($s))
}
Command to scan a memory dump:
On Linux using YARA yara64 -w -r agingfly.yar /mnt/memory_dump/
3. Data Harvesting Focus: Chromium Browsers & WhatsApp
The attackers’ primary goal is credential and session theft. By extracting from Chromium-based browsers (Chrome, Edge, Brave), they can bypass multi-factor authentication using stolen session cookies. Simultaneously, extracting the WhatsApp for Windows database gives them access to private messages and contact lists.
How to Simulate & Detect Theft Attempts:
- Windows (Monitor Access to Browser Databases):
Monitor processes accessing Chrome's Login Data file $watcher = New-Object System.IO.FileSystemWatcher $watcher.Path = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default" $watcher.Filter = "Login Data" $watcher.EnableRaisingEvents = $true Register-ObjectEvent $watcher "Changed" -Action {Write-Host "Potential browser credential access detected!"} - Linux (Detect WhatsApp DB Access from Non-WhatsApp Process):
Use auditd to track access to WhatsApp databases sudo auditctl -w /home//.config/WhatsApp/ -p rwa -k whatsapp_access sudo ausearch -k whatsapp_access
4. Lateral Movement & Network Tunneling
After establishing a foothold, UAC-0247 conducts reconnaissance using `RustScan` for port scanning and `Ligolo-ng` or `Chisel` to create reverse tunnels for hidden network access. This allows them to pivot from a compromised hospital workstation to critical internal servers.
Step‑by‑step guide to detect tunneling:
- Monitor for unusual child processes: Attackers often run these tools via PowerShell.
2. Windows Command to detect Ligolo-ng:
tasklist /v | findstr /i "ligolo" netstat -ano | findstr "ESTABLISHED" | findstr "11601"
3. Linux Command to detect port scanning:
Check for rapid connection attempts (signature of RustScan)
sudo tcpdump -i eth0 'tcp[bash] & (tcp-syn) != 0' | awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -nr | head -20
5. Defense & Hardening Strategies for Healthcare IT
Healthcare environments are prime targets due to legacy systems and high availability demands. CERT-UA recommends a layered defense.
Mitigation Actions:
- Restrict Script Execution: Use Windows Defender Application Control (WDAC) or AppLocker to block
.LNK,.HTA, and `.JS` files from running in user-writable directories. - Harden PowerShell:
Enable PowerShell logging to catch malicious commands Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
- Network Monitoring: Block outbound connections to known malicious Telegram channels (used for C2 address retrieval).
6. Full Incident Response Checklist for UAC-0247
If you suspect an infection, follow this IR checklist:
1. Isolate: Disconnect the affected host from the network immediately.
2. Memory Capture: Acquire RAM for analysis of the runtime-compiled .NET assemblies.
3. Command to extract .NET process details on live Windows system:
Get-Process -Name RuntimeBroker | Get-Process -Module | Export-Csv -Path dotnet_modules.csv
4. Log Analysis: Pull Sysmon and PowerShell logs.
- Search for IoCs: Scan for the presence of `ChromeElevator.exe` or `ZapixDesk.exe` in the file system.
What Undercode Say:
- UAC-0247’s use of AI-generated lures and runtime code compilation marks a significant evolution in espionage tradecraft, moving away from static payloads.
- Healthcare organizations must prioritize “prevention over detection” by strictly controlling script execution and monitoring for abnormal process behavior, such as `RuntimeBroker.exe` spawning network connections.
- The reliance on open-source tools like ChromElevator and ZAPiDESK for the heavy lifting of credential theft highlights a “living-off-the-land” strategy that makes attribution and defense complex.
- The dual threat of data exfiltration combined with cryptocurrency mining indicates a threat actor motivated by both intelligence gathering and financial gain, complicating the traditional “nation-state vs. cybercrime” attribution.
Prediction:
This campaign foreshadows a future where AI-generated phishing content becomes indistinguishable from legitimate communications, forcing a shift toward identity-centric security models. Furthermore, the technique of runtime-compiled malware will likely be adopted by other ransomware groups, rendering traditional signature-based antivirus largely obsolete and pushing the industry toward mandatory behavioral analysis and endpoint detection and response (EDR) solutions for critical infrastructure.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Varshu25 Uac – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


