AGINGFLY
Intelligence Profile
According to CERT-UA, AGINGFLY is a C#-based remote-control tool that can execute commands, download files, capture screenshots, and run a keylogger, effectively enabling full remote control of an infected host. Its C2 communication uses WebSockets with AES-CBC encryption, and unlike typical implants, command handlers are not embedded in the binary; they are delivered from the C2 as source code and compiled at runtime. The malware also appears in a multi-stage loader chain, with a stager that establishes a remote connection and covert execution, and it can leverage process injection to hide in legitimate system processes.
Threat Analysis
AGINGFLY is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, AGINGFLY likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.