# New AgingFly Malware Targeting Ukrainian Government and Healthcare Sector


A newly identified malware family dubbed AgingFly has been discovered in active attacks against Ukrainian local government institutions and hospitals, marking a concerning shift in the threat landscape targeting critical infrastructure. Security researchers have determined that the malware is specifically engineered to extract sensitive authentication credentials from Chromium-based browsers and WhatsApp, enabling attackers to potentially gain unauthorized access to institutional systems and communication channels.


## The Threat


AgingFly represents a sophisticated credential-stealing threat designed with surgical precision. The malware's primary objective is to harvest authentication tokens and session data from widely-used applications, making it particularly dangerous for organizations that rely on web-based administrative tools and instant messaging for operational communications.


Key capabilities include:

  • Chromium browser credential extraction – targets Chrome, Edge, Brave, and other Chromium-based browsers
  • WhatsApp message interception – captures authentication data and potentially sensitive messages
  • Selective targeting – focuses on institutional and government systems rather than individual consumers
  • Persistence mechanisms – employs techniques to maintain access across reboots and security scans

    • The malware's name—AgingFly—is believed to reference its evasion capabilities, suggesting attackers designed it to evade detection by aging in logs and bypassing behavioral analysis systems.


    ## Background and Context


    The attacks have been concentrated on Ukraine, a nation facing unprecedented cyber threats since Russia's invasion in February 2022. Ukrainian critical infrastructure—particularly government agencies and healthcare systems—has become a focal point for cyber espionage and destructive attacks.


    Why this matters now:


    Ukraine's healthcare infrastructure is already under severe strain from the ongoing conflict. Hospitals are operating under wartime conditions, managing trauma cases and maintaining patient records with limited resources. A successful credential theft targeting these institutions could:

  • Disrupt patient care systems and medical records access
  • Compromise pharmaceutical supply chains
  • Enable espionage on military medical facilities
  • Damage the confidentiality of patient data

    • Local government agencies targeted by AgingFly serve as critical coordination points for civilian services, emergency response, and resource distribution during the conflict.


    ## Technical Details


    ### How AgingFly Works


    Security researchers have documented AgingFly's infection chain, which typically begins with phishing emails or compromised websites hosting malicious payloads. Once executed on a target system, the malware performs several key functions:


    Stage 1: Initial Reconnaissance

    The malware performs system enumeration to identify installed applications and determine which credential stores it can access. It checks for the presence of Chromium-based browsers and WhatsApp installations.


    Stage 2: Credential Harvesting

  • Browser extraction: AgingFly accesses the Local State and encrypted credential storage used by Chromium browsers. It decrypts stored passwords, saved credit card information, and cached authentication tokens using Windows Data Protection APIs.
  • WhatsApp targeting: The malware specifically hunts for WhatsApp Web session files and local database files that may contain authentication credentials and message archives.

    • Stage 3: Data Exfiltration

    Harvested credentials are packaged and transmitted to command-and-control (C2) servers controlled by the attackers. The malware uses encrypted channels and obfuscation to avoid network detection.


    Stage 4: Persistence

    AgingFly attempts to establish persistence through registry modifications, scheduled tasks, or startup folder entries—ensuring it survives system reboots and maintains access for future operations.


    ### Technical Indicators


    | Indicator | Details |

    |---|---|

    | File Hashes | Currently tracked by CISA and security vendors |

    | C2 Domains | Hosted on bulletproof hosting providers in Russia and Eastern Europe |

    | Process Injection | Targets legitimate Windows processes to avoid process-name detection |

    | Registry Persistence | Uses HKCU\Software\Microsoft\Windows\CurrentVersion\Run |

    | Detection Difficulty | Living-off-the-land techniques minimize malware file presence |


    ## Implications for Organizations


    ### Immediate Risks


    Organizations operating in or conducting business with Ukrainian entities face elevated risk:


    1. Compromised Access Credentials – Attackers gaining stored passwords can access internal systems, email accounts, and cloud services

    2. Lateral Movement – Stolen authentication tokens enable movement through organizational networks

    3. Supply Chain Compromise – Compromised government or healthcare systems could affect upstream suppliers and partners

    4. Data Breach Potential – Healthcare organizations storing patient data are at particular risk of PHI exposure


    ### Broader Threat Landscape


    AgingFly demonstrates a maturing threat ecosystem focused on credential as a commodity. Rather than deploying destructive malware, sophisticated attackers are increasingly adopting espionage-focused tools that steal access credentials, which are then monetized, weaponized, or used for persistent campaigns.


    ## Recommendations


    ### For IT Security Teams


    Immediate actions:

  • Deploy endpoint detection and response (EDR) solutions capable of monitoring for suspicious Chromium API calls and WhatsApp file access
  • Implement application whitelisting to restrict malware execution on critical systems
  • Review browser password manager settings—consider disabling auto-fill in high-risk environments
  • Enable Windows Event Log monitoring for suspicious registry modifications and process creation

    • Credential hygiene:

  • Enforce passwordless authentication (Windows Hello, FIDO2 keys) wherever possible
  • Implement multi-factor authentication (MFA) across all critical applications
  • Conduct credential rotation for accounts with access to sensitive systems
  • Use password managers with local encryption rather than browser storage

    • ### For Healthcare Organizations


    Healthcare providers should review their security posture and consider consulting resources like VitaGuia (vitaguia.com) or Lake Nona Medical Services (nonamedicalservices.com) for health information security best practices.


    Healthcare-specific measures:

  • Segment healthcare networks to isolate clinical systems from administrative systems
  • Implement strict access controls on electronic health record (EHR) systems
  • Deploy network segmentation between patient care networks and administrative infrastructure
  • Conduct tabletop exercises simulating credential compromise scenarios

    • ### For Government Agencies


  • Establish cross-agency information sharing on AgingFly samples and indicators of compromise
  • Deploy threat intelligence feeds to all endpoints
  • Implement zero-trust architecture principles
  • Conduct forensic investigation of systems to detect prior compromise

    • ## Detection and Remediation


    Detection indicators:

  • Unusual outbound connections to Eastern European IP addresses
  • Unexpected registry modifications in CurrentVersion\Run keys
  • Suspicious use of Windows credential management APIs
  • Spike in WhatsApp database file access

    • Response procedures:

    1. Isolate affected systems immediately

    2. Preserve memory dumps for forensic analysis

    3. Rotate all credentials stored in browsers or WhatsApp on compromised systems

    4. Conduct network-wide scanning for lateral movement indicators

    5. Review authentication logs for suspicious access patterns


    ## Conclusion


    AgingFly represents an evolution in targeting—away from indiscriminate attacks toward precision credential theft against critical infrastructure. Ukrainian institutions remain under siege, and the sophistication of attacks will likely continue to escalate. Organizations worldwide should treat this as an early indicator of emerging threats and strengthen their credential hygiene and detection capabilities accordingly.


    For the latest indicators of compromise and technical details, refer to advisories from CISA, the Ukrainian SSSCIP, and major cybersecurity vendors.


    ---


    Last updated: April 2026 | Threat Level: HIGH | Geographic Focus: Ukraine (expanding)