HOMETHREATSAGINGFLY
APT / THREAT GROUP🕵️ ESPIONAGEADVANCED

AGINGFLY

2
aliases
Last seen:Jun 11, 2026

Intelligence Profile

According to CERT-UA, AGINGFLY is a C#-based remote-control tool that can execute commands, download files, capture screenshots, and run a keylogger, effectively enabling full remote control of an infected host. Its C2 communication uses WebSockets with AES-CBC encryption, and unlike typical implants, command handlers are not embedded in the binary; they are delivered from the C2 as source code and compiled at runtime. The malware also appears in a multi-stage loader chain, with a stager that establishes a remote connection and covert execution, and it can leverage process injection to hide in legitimate system processes.

Threat Analysis

AGINGFLY is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Classified as an advanced threat actor, AGINGFLY likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

Intelligence Reports Mentioning AGINGFLY

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Sophisticationadvanced
Aliases2

Also Known As

win.agingflyAGINGFLY

External Intelligence

Malpedia: win.agingfly

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.