A new malware family named ‘AgingFly’ has been identified (the link requires you to translate into English) in attacks against Ukrainian governments and hospitals that steal authentication data from Chromium-based browsers and WhatsApp messenger.
Commenting on this news is Ensar Seker, CISO at SOCRadar:
“AgingFly reflects a continued shift toward credential-centric operations, where attackers prioritize access over disruption in the initial stages. By targeting Chromium-based browsers and messaging platforms like WhatsApp, actors are going after high-value session data that enables lateral movement, impersonation, and long-term persistence rather than immediate impact.
What’s notable here is the targeting profile, government, healthcare, and potentially defense-linked entities which suggests intelligence collection and pre-positioning rather than opportunistic cybercrime. Groups like UAC-0247 are increasingly blending espionage tactics with commodity malware techniques, making detection harder. Organizations should treat browser-stored credentials and messaging session tokens as sensitive assets and move toward stronger controls like device-bound authentication, reduced credential storage, and continuous session monitoring.”
Reading through this document makes one thing clear. This is a skilled threat actor who is clearly out to set up shop for the long term. That’s the most dangerous type of threat actor to deal with. And chances are, they won’t stop at Ukraine as I fully expect them to be using the same techniques elsewhere.
Related
This entry was posted on April 16, 2026 at 2:32 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
AgingFly Malware used in attacks on Ukraine government and hospitals
A new malware family named ‘AgingFly’ has been identified (the link requires you to translate into English) in attacks against Ukrainian governments and hospitals that steal authentication data from Chromium-based browsers and WhatsApp messenger.
Commenting on this news is Ensar Seker, CISO at SOCRadar:
“AgingFly reflects a continued shift toward credential-centric operations, where attackers prioritize access over disruption in the initial stages. By targeting Chromium-based browsers and messaging platforms like WhatsApp, actors are going after high-value session data that enables lateral movement, impersonation, and long-term persistence rather than immediate impact.
What’s notable here is the targeting profile, government, healthcare, and potentially defense-linked entities which suggests intelligence collection and pre-positioning rather than opportunistic cybercrime. Groups like UAC-0247 are increasingly blending espionage tactics with commodity malware techniques, making detection harder. Organizations should treat browser-stored credentials and messaging session tokens as sensitive assets and move toward stronger controls like device-bound authentication, reduced credential storage, and continuous session monitoring.”
Reading through this document makes one thing clear. This is a skilled threat actor who is clearly out to set up shop for the long term. That’s the most dangerous type of threat actor to deal with. And chances are, they won’t stop at Ukraine as I fully expect them to be using the same techniques elsewhere.
Share this:
Like this:
Related
This entry was posted on April 16, 2026 at 2:32 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.