Week 16 Roundup: FBI Dismantles W3LL Phishing Empire, AgingFly Malware Hits Ukraine, and Critical Nginx UI Flaw Exploited
The FBI has dismantled the W3LL phishing platform and arrested its developer, while Ukraine's CERT-UA warns of the AgingFly malware campaign targeting government and healthcare, and attackers actively exploit a critical Nginx UI vulnerability (CVE-2026-33032) for full server takeover.
This week in cybersecurity saw major law enforcement action, a new malware campaign targeting Ukrainian infrastructure, and active exploitation of a critical vulnerability in Nginx UI. The FBI, in coordination with Indonesian authorities, dismantled the W3LL phishing platform, arresting its alleged developer and seizing infrastructure used to sell phishing kits for $500 each. The platform enabled over 500 threat actors to clone login portals, bypass multi-factor authentication using adversary-in-the-middle techniques, and sell more than 25,000 compromised accounts, fueling over $20 million in attempted fraud. Even after the storefront shut down in 2023, the operation continued through encrypted channels under new branding, impacting over 17,000 victims worldwide.
Separately, two U.S. nationals were sentenced for helping North Korean IT workers pose as American residents to secure remote jobs at more than 100 U.S. companies, including Fortune 500 firms. Between 2021 and 2024, the scheme generated over $5 million for the Democratic People's Republic of Korea (DPRK) and caused about $3 million in losses to victim companies. The defendants used stolen identities from over 80 U.S. citizens, created fake companies and financial accounts, and hosted company-issued laptops in U.S. homes so North Korean workers could secretly access corporate networks. Kejia Wang received nine years in prison, while Zhenxing Wang was sentenced to over seven years.
In Ukraine, CERT-UA uncovered a new malware campaign using a toolset called "AgingFly" to target local governments, hospitals, and possibly Ukrainian defense personnel. The attack, tracked as UAC-0247, begins with phishing emails disguised as humanitarian aid offers that lure victims into downloading malicious shortcut files. These files trigger a chain of scripts and loaders that ultimately deploy AgingFly, a C# malware strain that gives attackers remote control of infected systems. Once installed, AgingFly can execute commands, steal files, capture screenshots, log keystrokes, and deploy additional payloads. It uses PowerShell scripts to update configurations and retrieve command and control server details through Telegram, helping the malware remain flexible and persistent.
A notable feature of AgingFly is that it downloads pre-built command handlers as source code from the server and compiles them directly on the infected machine, reducing its static footprint and helping it evade signature-based detection tools. Investigators found that the attackers use open-source tools such as ChromElevator to steal saved passwords and cookies from Chromium-based browsers, and ZAPiDESK to decrypt WhatsApp data. Additional tools like RustScan, Ligolo-ng, and Chisel support reconnaissance, tunneling, and lateral movement across compromised networks. CERT-UA says the campaign has impacted at least a dozen organizations and may also have targeted members of Ukraine's defense forces.
Finally, a critical vulnerability in Nginx UI, tracked as CVE-2026-33032, is being actively exploited in the wild to achieve full server takeover without authentication. The flaw stems from an exposed /mcp_message endpoint in systems using Model Context Protocol (MCP) support, which fails to enforce proper authentication controls. Remote attackers can invoke privileged MCP functions, including modifying configuration files, restarting services, and forcing automatic reloads to effectively gain complete control over affected Nginx servers. Security researchers have reported that exploitation requires only network access, with attackers initiating a session via Server-Sent Events and sending unauthenticated requests to the vulnerable endpoint.
The vulnerability was patched in version 2.3.4 shortly after disclosure, but a more secure release, 2.3.6, is now recommended. Despite the fix, active exploitation in the wild has been confirmed with proof-of-concept code publicly available. Nginx UI is widely used, with over 11,000 GitHub stars and hundreds of thousands of Docker pulls, and scans suggest roughly 2,600 exposed instances remain vulnerable globally. Organizations are urged to update immediately, as attackers can fully compromise systems through a single unauthenticated request, bypassing traditional security controls and gaining persistent control over web infrastructure.