What happened
A threat group tracked as UAC-0247 has conducted multiple cyberattacks over the past two months against Ukrainian municipal authorities, clinical hospitals, and emergency medical services, deploying a previously undocumented malware tool called AgingFly. Ukraine’s computer emergency response team, CERT-UA, said the campaign is aimed at stealing sensitive data, with cryptocurrency mining observed as a secondary activity in some cases. Attacks began with phishing emails posing as discussions about humanitarian aid proposals, directing victims to download a malicious archive. To add legitimacy, attackers created fake organization websites — some potentially AI-generated — or embedded malicious scripts in legitimate sites. The archive deployed four malware components: AgingFly, which provides full remote control including command execution, file transfer, screenshot capture, and keylogging; SilentLoop, which retrieves command-and-control server addresses via Telegram; ChromeElevator, which extracts credentials and sensitive data from browsers; and ZapixDesk, which targets WhatsApp accounts. In one instance, the XMRig cryptocurrency miner was also deployed. CERT-UA separately warned that Ukrainian Defense Forces personnel may be targeted through similar tactics, noting a March incident in which AgingFly was distributed via Signal disguised as a software update for drone operators. In a related but separate campaign, Russia-linked APT28 compromised more than 170 email accounts belonging to Ukrainian prosecutors and investigators, as well as targets in NATO countries and the Balkans, reportedly to monitor investigations into Russian espionage activity.
Who is affected
Ukrainian hospitals, emergency medical services, and municipal government bodies are the confirmed targets of the UAC-0247 campaign. Ukrainian Defense Forces personnel face additional exposure through the drone operator lure distributed via Signal. The parallel APT28 campaign extends risk to law enforcement and prosecutorial staff in Ukraine, neighboring NATO countries, and the Balkans.
Why CISOs should care
The combination of tools deployed here, remote access, credential theft from browsers and messaging apps, C2 routing through Telegram, and AI-assisted lure infrastructure, reflects a well-resourced and operationally flexible threat actor. The use of Signal and software update lures to reach military personnel is a direct indicator that trusted communication channels and routine update workflows are being weaponized. Organizations operating in conflict-adjacent environments or with exposure to Ukrainian government and defense supply chains should treat this as an active threat model, not a regional concern.
3 practical actions
- Treat messaging app lures as a live phishing vector: Brief staff on the use of Signal, Telegram, and WhatsApp as delivery mechanisms for malicious archives, particularly where software updates or operational documents are being shared through unofficial channels.
- Audit browser credential stores and messaging app access: Review whether endpoint controls limit the ability of unauthorized processes to extract saved credentials from browsers or access messaging application data on managed devices.
- Monitor for Telegram-based C2 activity: Inspect outbound traffic for connections to Telegram infrastructure from endpoints that have no legitimate business reason to communicate with it, as SilentLoop uses Telegram channels to retrieve command-and-control addresses.
For more news about malicious code, implants, and evolving attacker tradecraft, click Malware to read more.