Ukrainian emergency services and hospitals hit by espionage campaign using new AgingFly malware The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstatepp Influence Operations ppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp Hackers have targeted Ukrainian hospitals and local government bodies in a new espionage campaign using a malware tool dubbed AgingFly researchers say pp Ukraines computer emergency response team CERTUA said the activity was carried out by a group tracked as UAC0247 which launched multiple attacks over the past two months against municipal authorities clinical hospitals and emergency medical services  pp The hackers attempted to steal sensitive data and in some cases exploit compromised systems to mine cryptocurrency CERTUA said pp The attacks typically began with phishing emails posing as discussions about proposals for humanitarian aid Victims were asked to follow a link that led to the download of a malicious archive file pp To make the messages more convincing attackers sometimes created websites for fake organizations potentially generated using artificial intelligence or embedded malicious scripts in otherwise legitimate websites pp Once opened the archive installed multiple pieces of malware including AgingFly SilentLoop ChromeElevator and ZapixDesk pp CERTUA said AgingFly allows attackers to remotely control an infected computer enabling them to execute commands download files capture screenshots record keystrokes and run arbitrary code Another tool SilentLoop can execute commands and retrieve the current address of the attackers commandandcontrol server via a Telegram channel pp The attackers also attempted to extract authentication credentials and other sensitive information from internet browsers using ChromeElevator or from WhatsApp accounts using a tool called ZapixDesk pp In one case investigators detected the use of XMRig a legitimate cryptocurrency mining tool suggesting attackers may have used victims computing resources to generate digital currency pp CERTUA also warned that members of Ukraines Defense Forces could be targeted through similar tactics In March the agency received reports that attackers had distributed what they claimed was an updated software package for drone operators via the Signal messaging app The archive file instead contained malware that installed AgingFly pp Earlier this week Reuters reported that in a separate incident Russialinked hackers broke into more than 170 email accounts belonging to prosecutors and investigators in Ukraine as well as targets in neighboring NATO countries and the Balkans  pp Cyber researchers at CtrlAltIntel attributed that campaign to the group known as APT28 also referred to as Fancy Bear BlueDelta or Forest Blizzard pp Researchers said the hackers likely targeted Ukrainian law enforcement either to monitor investigations into Russian espionage activity or to gather potentially sensitive information about senior officials in Kyiv pp Recorded Future News contacted CERTUA for additional comment on the Fancy Bear campaign but did not receive a response by the time of publication ppDaryna Antoniukppis a reporter for Recorded Future News based in Ukraine She writes about cybersecurity startups cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia She previously was a tech reporter for Forbes Ukraine Her work has also been published at Sifted The Kyiv Independent and The Kyiv PostppPrivacyppAboutppContact Uspp Copyright 2026 The Record from Recorded Future Newsp