The Good, the Bad and the Ugly in Cybersecurity – Week 16

U.S. authorities dismantled the W3LL phishing platform, disrupting a criminal ecosystem facilitating over $20 million in fraud and arresting facilitators of a DPRK IT worker scheme that generated $5 million for North Korea. Simultaneously, Ukraine's CERT-UA identified a new malware campaign by threat actor UAC-0247 utilizing AgingFly malware to target government and healthcare sectors via phishing. AgingFly enables remote control, data exfiltration, and uses Telegram for C2. Additionally, a critical authentication bypass vulnerability (CVE-2026-33032) in Nginx UI is being actively exploited for server takeover. Organizations should block execution of LNK and PowerShell scripts, restrict Windows utilities, and immediately patch Nginx UI systems to prevent unauthorized access and mitigate risks associated with credential theft and state-sponsored espionage activities targeting critical infrastructure.

Authorities take down W3LL phishing ring, AgingFly malware steals Ukrainian government data, and actors exploit Nginx flaw to hijack servers.

U.S. authorities dismantled the W3LL phishing platform, disrupting a criminal ecosystem facilitating over $20 million in fraud and arresting facilitators of a DPRK IT worker scheme that generated $5 million for North Korea. Simultaneously, Ukraine's CERT-UA identified a new malware campaign by threat actor UAC-0247 utilizing AgingFly malware to target government and healthcare sectors via phishing. AgingFly enables remote control, data exfiltration, and uses Telegram for C2. Additionally, a critical authentication bypass vulnerability (CVE-2026-33032) in Nginx UI is being actively exploited for server takeover. Organizations should block execution of LNK and PowerShell scripts, restrict Windows utilities, and immediately patch Nginx UI systems to prevent unauthorized access and mitigate risks associated with credential theft and state-sponsored espionage activities targeting critical infrastructure. Authorities take down W3LL phishing ring, AgingFly malware steals Ukrainian government data, and actors exploit Nginx flaw to hijack servers. The Good | U.S. Authorities Seize W3LL Phishing Ring & Jail DPRK IT Worker Scheme Facilitators The FBI has dismantled the “W3LL” phishing platform, seized its infrastructure, and arrested its alleged developer in its first joint crackdown on a phishing kit developer together with Indonesian authorities. Sold for $500 per kit, W3LL-enabled criminals to clone login portals, steal credentials, bypass MFA using adversary-in-the-middle techniques, and launch business email compromise attacks. The W3LL Store interface (Source: Group-IB) Through the W3LL Store marketplace, more than 25,000 compromised accounts were sold, fueling over $20 million in attempted fraud. Even after the storefront shut down in 2023, the operation continued through encrypted channels under new branding. It was then used against over 17,000 victims worldwide after W3LL gave cybercriminals an end-to-end phishing service. Investigators say the takedown disrupted a major criminal ecosystem that helped more than 500 threat actors steal access, hijack accounts , and commit financial fraud. From the DoJ , two U.S. nationals have been sentenced for helping North Korean IT workers pose as American residents and secure remote jobs at more than 100 U.S. companies , including Fortune 500 firms. Court documents note that between 2021 and 2024, the scheme generated over $5 million for the DPRK and caused about $3 million in losses to victim companies. The defendants used stolen identities from over 80 U.S. citizens, created fake companies and financial accounts, and hosted company-issued laptops in U.S. homes so North Korean workers could secretly access corporate networks. U.S. officials said the operation endangered national security by placing DPRK operatives inside American businesses. Kejia Wang will receive nine years in prison, while Zhenxing Wang is sentenced to over seven years. Authorities say the broader network remains active, with additional suspects still at large, as North Korea continues using fraudulent remote workers to fund government operations and evade sanctions. The Bad | New “AgingFly” Malware Breaches Ukrainian Governments & Hospitals Ukraine’s CERT-UA has uncovered a new malware campaign using a toolset called “AgingFly” to target local governments, hospitals, and possibly Ukrainian defense personnel . The attack (UAC-0247) begins with phishing emails disguised as humanitarian aid offers that lure victims into downloading malicious shortcut files. These files trigger a chain of scripts and loaders that ultimately deploy AgingFly, a C# malware strain that gives attackers remote control of infected systems. Example of chain of damage (Source: CERT-UA) Once installed, AgingFly can execute commands, steal files, capture screenshots, log keystrokes, and deploy additional payloads. It also uses PowerShell scripts to update configurations and retrieve command and control (C2) server details through Telegram , helping the malware remain flexible and persistent. One notable feature is that it downloads pre-built command handlers as source code from the server and compiles them directly on the infected machine , reducing its static footprint and helping it evade signature-based detection tools. Investigators found that the attackers use open-source tools such as ChromElevator to steal saved passwords and cookies from Chromium-based browsers, and ZAPiDESK to decrypt WhatsApp data. Additional tools like RustScan , Ligolo-ng , and Chisel support reconnaissance, tunneling, and lateral movement across compromised networks. CERT-UA says the campaign has impacted at least a dozen organizations and may also have targeted members of Ukraine’s defense forces. To reduce exposure, the agency recommends blocking the execution of LNK, HTA, and JavaScript files, along with restricting trusted Windows utilities such as PowerShell and mshta.exe that are abused in the attack chain. The Ugly | Attackers Exploit Nginx...