UAC-0247 Unleashes ‘AgingFly’ Malware: Stealing Browser & WhatsApp Data from Hospitals + Video

Listen to this Post

Featured Image

Introduction:

Between March and April 2026, Ukraine’s Computer Emergency Response Team (CERT-UA) uncovered a surge in attacks by a sophisticated threat cluster known as UAC-0247. These campaigns have severely impacted municipal governments and healthcare institutions, with a primary focus on clinical and emergency hospitals. The attackers deploy a novel malware family, AgingFly, which uses a unique runtime-compilation technique to harvest authentication data from Chromium-based browsers and the Windows version of WhatsApp.

Learning Objectives:

  • Understand the complex, multi-stage infection chain used by UAC-0247.
  • Analyze the unique technical capabilities of the AgingFly malware, including its dynamic compilation of command handlers.
  • Identify key indicators of compromise (IoCs) and learn mitigation strategies, including specific Linux and Windows commands.

You Should Know:

1. Attack Chain Analysis: From Phishing to Persistence

The UAC-0247 campaign leverages highly targeted spear-phishing emails themed around humanitarian aid proposals. When a victim interacts with the email, the following sequence unfolds:

  • Step 1: The user clicks a link, which redirects to either a legitimate site compromised via a cross-site scripting (XSS) flaw or a fully fake, AI-generated website.
  • Step 2: The site delivers a malicious archive (e.g., ZIP or RAR).
  • Step 3: The archive contains a shortcut (.LNK) file that abuses the Microsoft HTA handler. Executing the LNK file triggers `mshta.exe` to fetch and run an HTA payload from a remote server.
  • Step 4: A decoy form appears to distract the user while the malware establishes persistence via a scheduled task, which then downloads and executes the final payload injector.

How to Detect This Phase (Blue Team Commands):

  • Windows (Detecting Suspicious LNK & HTA Execution):
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object { $<em>.Message -match '.lnk' -or $</em>.Message -match 'mshta.exe' } | Format-List
    
  • Linux (Scheduled Task Monitoring on an SMB Share):
    Check for unusual scheduled tasks on mounted Windows shares
    find /mnt/windows_sysvol/ -name ".job" -o -name ".xml" | xargs grep -l "RuntimeBroker"
    
  1. Deep Dive: The AgingFly Malware and Its Dynamic Capabilities
    AgingFly is a C-based backdoor designed for remote control, file exfiltration, keylogging, and screen capture. Its most distinctive feature is the lack of built-in command handlers. Instead, it receives source code from its C2 server and compiles these handlers at runtime using the .NET Roslyn compiler. This makes static detection significantly harder.
  • Command & Control: The malware communicates via WebSockets with AES-CBC encryption using a static key.
  • Browser Data Theft: It uses an open-source tool, ChromElevator, to decrypt and extract cookies and saved passwords from Chromium browsers without admin rights.
  • WhatsApp Extraction: It leverages a forensic tool, ZAPiDESK, to decrypt local WhatsApp for Windows databases.

Tutorial: Simulating Behavioral Detection (Python Example):

You can build a simple YARA rule to detect the suspicious invocation of the Roslyn compiler used by AgingFly:

rule AgingFly_Roslyn_Compilation {
strings:
$s1 = "Microsoft.CodeAnalysis.CSharp.Scripting" nocase
$s2 = "CSharpScript.Create" nocase
$s3 = "RunAsync" nocase
condition:
(uint16(0) == 0x5A4D) and (any of ($s))
}

Command to scan a memory dump:

 On Linux using YARA
yara64 -w -r agingfly.yar /mnt/memory_dump/

3. Data Harvesting Focus: Chromium Browsers & WhatsApp

The attackers’ primary goal is credential and session theft. By extracting from Chromium-based browsers (Chrome, Edge, Brave), they can bypass multi-factor authentication using stolen session cookies. Simultaneously, extracting the WhatsApp for Windows database gives them access to private messages and contact lists.

How to Simulate & Detect Theft Attempts:

  • Windows (Monitor Access to Browser Databases):
    Monitor processes accessing Chrome's Login Data file
    $watcher = New-Object System.IO.FileSystemWatcher
    $watcher.Path = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default"
    $watcher.Filter = "Login Data"
    $watcher.EnableRaisingEvents = $true
    Register-ObjectEvent $watcher "Changed" -Action {Write-Host "Potential browser credential access detected!"}
    
  • Linux (Detect WhatsApp DB Access from Non-WhatsApp Process):
    Use auditd to track access to WhatsApp databases
    sudo auditctl -w /home//.config/WhatsApp/ -p rwa -k whatsapp_access
    sudo ausearch -k whatsapp_access
    

4. Lateral Movement & Network Tunneling

After establishing a foothold, UAC-0247 conducts reconnaissance using `RustScan` for port scanning and `Ligolo-ng` or `Chisel` to create reverse tunnels for hidden network access. This allows them to pivot from a compromised hospital workstation to critical internal servers.

Step‑by‑step guide to detect tunneling:

  1. Monitor for unusual child processes: Attackers often run these tools via PowerShell.

2. Windows Command to detect Ligolo-ng:

tasklist /v | findstr /i "ligolo"
netstat -ano | findstr "ESTABLISHED" | findstr "11601"

3. Linux Command to detect port scanning:

 Check for rapid connection attempts (signature of RustScan)
sudo tcpdump -i eth0 'tcp[bash] & (tcp-syn) != 0' | awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -nr | head -20

5. Defense & Hardening Strategies for Healthcare IT

Healthcare environments are prime targets due to legacy systems and high availability demands. CERT-UA recommends a layered defense.

Mitigation Actions:

  • Restrict Script Execution: Use Windows Defender Application Control (WDAC) or AppLocker to block .LNK, .HTA, and `.JS` files from running in user-writable directories.
  • Harden PowerShell:
    Enable PowerShell logging to catch malicious commands
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
    
  • Network Monitoring: Block outbound connections to known malicious Telegram channels (used for C2 address retrieval).

6. Full Incident Response Checklist for UAC-0247

If you suspect an infection, follow this IR checklist:
1. Isolate: Disconnect the affected host from the network immediately.
2. Memory Capture: Acquire RAM for analysis of the runtime-compiled .NET assemblies.
3. Command to extract .NET process details on live Windows system:

Get-Process -Name RuntimeBroker | Get-Process -Module | Export-Csv -Path dotnet_modules.csv

4. Log Analysis: Pull Sysmon and PowerShell logs.

  1. Search for IoCs: Scan for the presence of `ChromeElevator.exe` or `ZapixDesk.exe` in the file system.

What Undercode Say:

  • UAC-0247’s use of AI-generated lures and runtime code compilation marks a significant evolution in espionage tradecraft, moving away from static payloads.
  • Healthcare organizations must prioritize “prevention over detection” by strictly controlling script execution and monitoring for abnormal process behavior, such as `RuntimeBroker.exe` spawning network connections.
  • The reliance on open-source tools like ChromElevator and ZAPiDESK for the heavy lifting of credential theft highlights a “living-off-the-land” strategy that makes attribution and defense complex.
  • The dual threat of data exfiltration combined with cryptocurrency mining indicates a threat actor motivated by both intelligence gathering and financial gain, complicating the traditional “nation-state vs. cybercrime” attribution.

Prediction:

This campaign foreshadows a future where AI-generated phishing content becomes indistinguishable from legitimate communications, forcing a shift toward identity-centric security models. Furthermore, the technique of runtime-compiled malware will likely be adopted by other ransomware groups, rendering traditional signature-based antivirus largely obsolete and pushing the industry toward mandatory behavioral analysis and endpoint detection and response (EDR) solutions for critical infrastructure.

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Varshu25 Uac – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky