AgingFly Malware Targets Ukrainian Government Agencies and Hospitals, Stealing Browser and WhatsApp Credentials
What Happened — A new C#‑based malware family dubbed AgingFly was observed in a campaign against Ukrainian local government bodies, hospitals, and possibly Defense Forces personnel. The threat actors deliver a phishing email that leads to a malicious HTA/EXE payload, which ultimately harvests authentication data from Chromium‑based browsers and WhatsApp for Windows.
Why It Matters for TPRM —
- Credential theft from critical public‑sector and healthcare systems can enable further lateral movement and ransomware extortion.
- The use of open‑source tools (ChromElevator, ZAPiDESK) demonstrates that low‑skill actors can weaponize legitimate utilities against third‑party vendors.
- Supply‑chain risk: compromised government portals and AI‑generated fake sites act as unwitting lures for vendors and partners.
Who Is Affected — Government agencies (local, defense), healthcare providers, any third‑party service providers that support these entities (e.g., SaaS platforms, managed IT services).
Recommended Actions —
- Review email security controls (phishing simulation, URL sandboxing).
- Harden browser and messaging app configurations; enforce MFA and credential vaulting.
- Verify that third‑party vendors enforce least‑privilege and patch XSS vulnerabilities on public‑facing sites.
Technical Notes — Attack chain starts with a phishing email → malicious link (compromised site via XSS or AI‑generated clone) → LNK shortcut → HTA → scheduled task → EXE loader → custom C2 using XOR‑encrypted TCP and Telegram channel. Data exfiltration leverages ChromElevator (browser cookies/passwords) and ZAPiDESK (WhatsApp DB). Additional reconnaissance uses RustScan, Ligolo‑ng, and Chisel tunneling tools. Source: BleepingComputer