Hackers have targeted Ukrainian hospitals and local government bodies in a new espionage campaign using a malware tool dubbed AgingFly, researchers say.

Ukraine’s computer emergency response team (CERT-UA) said the activity was carried out by a group tracked as UAC-0247, which launched multiple attacks over the past two months against municipal authorities, clinical hospitals and emergency medical services. 

The hackers attempted to steal sensitive data and, in some cases, exploit compromised systems to mine cryptocurrency, CERT-UA said.

The attacks typically began with phishing emails posing as discussions about proposals for humanitarian aid. Victims were asked to follow a link that led to the download of a malicious archive file.

To make the messages more convincing, attackers sometimes created websites for fake organizations — potentially generated using artificial intelligence — or embedded malicious scripts in otherwise legitimate websites.

Once opened, the archive installed multiple pieces of malware, including AgingFly, SilentLoop, ChromeElevator and ZapixDesk.

CERT-UA said AgingFly allows attackers to remotely control an infected computer, enabling them to execute commands, download files, capture screenshots, record keystrokes and run arbitrary code. Another tool, SilentLoop, can execute commands and retrieve the current address of the attackers’ command-and-control server via a Telegram channel.

The attackers also attempted to extract authentication credentials and other sensitive information from internet browsers using ChromeElevator, or from WhatsApp accounts using a tool called ZapixDesk.

In one case, investigators detected the use of XMRig, a legitimate cryptocurrency mining tool, suggesting attackers may have used victims’ computing resources to generate digital currency.

CERT-UA also warned that members of Ukraine’s Defense Forces could be targeted through similar tactics. In March, the agency received reports that attackers had distributed what they claimed was an updated software package for drone operators via the Signal messaging app. The archive file instead contained malware that installed AgingFly.

Earlier this week, Reuters reported that in a separate incident, Russia-linked hackers broke into more than 170 email accounts belonging to prosecutors and investigators in Ukraine, as well as targets in neighboring NATO countries and the Balkans. 

Cyber researchers at Ctrl-Alt-Intel attributed that campaign to the group known as APT28, also referred to as Fancy Bear, BlueDelta or Forest Blizzard.

Researchers said the hackers likely targeted Ukrainian law enforcement either to monitor investigations into Russian espionage activity or to gather potentially sensitive information about senior officials in Kyiv.

Recorded Future News contacted CERT-UA for additional comment on the Fancy Bear campaign but did not receive a response by the time of publication.