AGINGFLY Propose Change

According to CERT-UA, AGINGFLY is a C#-based remote-control tool that can execute commands, download files, capture screenshots, and run a keylogger, effectively enabling full remote control of an infected host. Its C2 communication uses WebSockets with AES-CBC encryption, and unlike typical implants, command handlers are not embedded in the binary; they are delivered from the C2 as source code and compiled at runtime. The malware also appears in a multi-stage loader chain, with a stager that establishes a remote connection and covert execution, and it can leverage process injection to hide in legitimate system processes.

References

There is no Yara-Signature yet.