A360
Key Takeaways✦ Atlas AI
01
Ukrainian critical services, including hospitals and emergency responders, were targeted by the UAC-0247 group using new malware like AgingFly, aiming to exfiltrate sensitive data and exploit systems for cryptocurrency mining.
02
The attacks, initiated via phishing emails and fraudulent websites, demonstrate a sophisticated and persistent threat to Ukraine's vital infrastructure, impacting public safety and national security.
03
The use of remote control, credential harvesting, and cryptocurrency mining tools indicates a multi-faceted attack strategy, suggesting potential future exploitation of compromised systems and data for various malicious purposes.
Atlas AI
Ukrainian emergency services and hospitals have been targeted in a recent espionage campaign that used a newly identified malware strain called AgingFly. Officials attributed the activity to the UAC-0247 group, describing multiple intrusions over the past two months aimed at municipal authorities, clinical hospitals, and emergency medical services.
The stated objective of the operation was data theft, with attackers attempting to remove sensitive information from compromised networks. In some cases, the same access was also used to run cryptocurrency mining software, indicating that affected systems were not only a source of information but also a pool of computing resources that could be exploited after compromise.
ATLAS SIGNAL│Cyber Warfare│High│1–3 months
35d
Escalation of Cyber Espionage Against Critical Infrastructure Fuels Global Cyber Warfare Concerns
The targeting of Ukrainian emergency services and hospitals with the new 'AgingFly' malware signifies an escalation in cyber espionage tactics against critical infrastructure during conflict. This development highlights the growing risk of cyber warfare impacting essential public services, setting a precedent for similar attacks in other regional conflicts and raising the stakes for international cybersecurity measures and norms.
1 story
Investigators said initial access most often began with phishing emails that prompted recipients to download malicious archives. To make lures appear more credible, the attackers sometimes set up fraudulent websites or placed malicious scripts on legitimate sites, a tactic intended to reduce suspicion and increase the likelihood that targets would proceed with downloads or interactions that triggered infection.
The campaign used a broader toolkit rather than a single implant. Alongside AgingFly, the deployed malware set included SilentLoop, ChromeElevator, and ZapixDesk. AgingFly was described as enabling remote control of infected machines, including command execution, downloading files, capturing screenshots, logging keystrokes, and running arbitrary code.
SilentLoop was reported to support command execution and to obtain command-and-control server addresses through Telegram. Credential-focused components were also present: ChromeElevator and ZapixDesk were used to extract authentication data from browsers and from WhatsApp, expanding the attackers’ ability to move within networks or access additional accounts after the initial breach.
Officials also pointed to similar tactics previously observed against Ukrainian Defense Forces personnel, including malware delivery disguised as drone software updates. The overlap in methods underscores that the same social-engineering approaches can be adapted across civilian critical services and military-affiliated targets, depending on the access and information sought.
What remains unclear from the available details is the full scale of affected organizations, the volume or type of data successfully exfiltrated, and how widely cryptocurrency mining was deployed across compromised systems. Even so, the reported activity adds to ongoing concerns about persistent cyber threats facing critical infrastructure and public-sector entities in Ukraine.
