Netcrook Logo
👤 AGONY
🗓️ 16 Apr 2026   🌍 Europe

Spyware Surge: New ‘AgingFly’ Malware Strikes Ukrainian Hospitals and Emergency Services

Ukrainian public institutions face a relentless espionage campaign as hackers deploy sophisticated malware to steal sensitive data and mine cryptocurrency.

At the height of war and humanitarian crisis, Ukraine’s hospitals and emergency agencies are fighting a battle on a hidden front: a wave of cyber espionage that threatens to cripple essential services. The latest digital assault, orchestrated by a shadowy group known as UAC-0247, leverages a potent new malware dubbed “AgingFly” - and it’s not just data at stake, but the very backbone of Ukraine’s emergency response.

The campaign, which has unfolded over the past two months, is as technically complex as it is cunning. According to Ukraine’s CERT-UA, it begins with phishing emails crafted to look like legitimate discussions about humanitarian aid - an especially cruel deception given the ongoing conflict. Victims are urged to download files from links or fake organizational websites, some likely generated by artificial intelligence, that install a suite of malware when opened.

Once inside a system, AgingFly allows hackers to remotely commandeer the infected machine. The malware’s capabilities are extensive: running commands, downloading files, capturing screenshots, recording keystrokes, and executing arbitrary code. Its companion tools, like SilentLoop, can dynamically locate the hackers’ control servers through encrypted channels such as Telegram, while ChromeElevator and ZapixDesk are engineered to siphon off browser credentials and WhatsApp data.

Investigators also discovered the use of XMRig, a legitimate cryptocurrency mining program, repurposed to exploit victims’ computing power for financial gain. This dual-pronged attack - stealing both information and resources - underscores the evolving motives and sophistication of cybercriminal groups operating in the region.

The threat is not limited to civilian targets. CERT-UA has warned that Ukraine’s Defense Forces could be next, citing reports of malicious software masquerading as drone control updates distributed via Signal. Meanwhile, a parallel campaign attributed to the notorious Russian-linked group APT28 (Fancy Bear) has breached email accounts of Ukrainian prosecutors and even reached into neighboring NATO countries.

While the full scope of the damage is still unfolding, the attacks demonstrate a chilling reality: cyber warfare is now deeply intertwined with physical conflict, targeting the institutions that underpin a nation’s resilience.

As Ukraine’s defenders race to patch digital wounds, the latest AgingFly campaign is a stark reminder that in modern warfare, the front lines extend far beyond the battlefield - and the fight for critical infrastructure is as vital as any fought with boots on the ground.

WIKICROOK

  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Cryptocurrency Mining: Cryptocurrency mining uses computer power to solve puzzles, validate transactions, and earn digital coins on decentralized blockchain networks.
  • Credential Theft: Credential theft occurs when hackers steal usernames and passwords, often via phishing or data breaches, to illegally access online accounts.
AgingFly Cyber Espionage Ukrainian Hospitals
AGONY AGONY
Elite Offensive Security Commander
← Back to news