AGINGFLY is a sophisticated C#-based remote access trojan that gives attackers full control over infected Windows computers. First identified by CERT-UA, this malware stands out because it doesn't carry all its attack code inside the executable — instead, it downloads new commands from a remote server and compiles them on your machine in real time. That design makes it harder for traditional antivirus tools to detect, and it means the malware can adapt quickly without reinstalling. If AGINGFLY gets onto your system, an attacker can quietly capture everything you type, take screenshots, download files, and run any command they choose.

AGINGFLY — cybersecurity illustration
Photo by John Tekeridis on Pexels
Think you're infected right now? Disconnect from the internet immediately (unplug Ethernet or disable Wi-Fi). Do not log into banking, email, or any account until the machine is cleaned. Call us at (770) 637-9142 or bring your computer to our Roswell shop — we can isolate the threat and recover your data safely.

Threat Profile

Threat NameAGINGFLY
TypeRemote Access Trojan (RAT) / Backdoor
PlatformWindows (PE executable)
LanguageC# (.NET Framework)
First Documented2025 (CERT-UA advisories)
Communication ProtocolWebSocket over HTTPS
EncryptionAES-CBC (128-bit or 256-bit)
Payload DeliveryRuntime compilation (C# source code from C2)
Known AliasesAGINGFLY (no widespread alternate names)
Infection VectorMulti-stage loader, phishing attachments, exploit kits
Typical File SizeVaries (stager: 50–150 KB; full payload: 200–600 KB)
Detection RateModerate to low (dynamic compilation evades static signatures)

How It Spreads

AGINGFLY arrives through multi-stage infection chains. The first stage is usually a small loader or stager — a compact executable that may be hidden inside a malicious Office document, a fake software installer, or a phishing email attachment. Once that stager runs, it reaches out to a command-and-control server over an encrypted WebSocket connection, downloads the next stage, and injects it into memory or a legitimate Windows process. Because the final payload is compiled on the fly from C# source code, the initial dropper often looks benign to antivirus scanners.

We've seen AGINGFLY distributed through targeted phishing campaigns, especially those impersonating business invoices, shipping notices, or IT support messages. In some cases, attackers exploit vulnerabilities in unpatched software or use social-engineering tricks to convince users to disable security warnings. The malware can also be bundled with pirated software, fake browser updates, or trojanized utilities downloaded from sketchy websites.

Common distribution methods include:

  • Phishing emails with malicious Office macros or disguised executables
  • Fake software installers for popular applications (video players, PDF readers, system optimizers)
  • Exploit kits targeting unpatched browsers or plugins
  • Compromised websites hosting drive-by downloads
  • Malvertising redirecting users to payload-hosting infrastructure
  • RDP brute-force attacks on exposed Windows servers, followed by manual deployment

What It Does On Your Machine

Once AGINGFLY establishes a foothold, it installs a persistent backdoor that survives reboots. The malware typically injects itself into a legitimate Windows process (such as explorer.exe, svchost.exe, or dllhost.exe) to hide from Task Manager and casual inspection. It opens an encrypted WebSocket connection to the attacker's command-and-control server and waits for instructions. Unlike traditional RATs, AGINGFLY doesn't ship with a fixed set of commands — instead, the C2 server sends C# source code as plain text, which the malware compiles in memory using the .NET runtime and then executes. This means the attacker can deploy new capabilities on the fly without updating the binary.

The malware can capture keystrokes, take screenshots at regular intervals, enumerate running processes and installed software, download files from your hard drive, upload additional tools or payloads, and execute arbitrary shell commands. Because it operates through process injection and in-memory compilation, it leaves a light forensic footprint on disk. The encrypted C2 channel makes it difficult for network monitoring tools to identify malicious traffic — the connection often appears as benign HTTPS activity.

Persistence mechanisms vary, but common tactics include registry Run keys, scheduled tasks, and COM hijacking. The malware may also disable Windows Defender real-time protection or add exclusions to avoid detection during subsequent reboots. In sandbox environments, AGINGFLY exhibits the following behavior:

# Registry persistence (observed in sandbox) HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemUpdate = "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\SystemUpdate\sysupd.exe" # Process injection target C:\Windows\explorer.exe ; hollowed or injected with payload DLL # Network activity WebSocket connection to: wss://185.*.*.*/ws ; C2 endpoint (IP redacted) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ; mimics browser traffic # Compiled module cache (observed) C:\Users\%USERNAME%\AppData\Local\Temp\*.tmp.dll ; ephemeral, deleted after execution

Because command handlers are compiled at runtime, you won't find traditional malware payloads sitting in predictable directories. The malware's modular design means that one infected machine might be used for credential theft, while another serves as a relay node or spam bot — all controlled by the same core implant.

Manual Removal — Step by Step

Manual removal of AGINGFLY requires patience and attention to detail. If you're not confident working in Safe Mode or editing the registry, bring your computer to our shop and we'll handle it safely. Here's the full procedure:

01

Disconnect from the Internet

Unplug your Ethernet cable or turn off Wi-Fi. This stops the malware from receiving new commands or exfiltrating data while you work. Leave the machine disconnected until the entire removal process is complete.

02

Boot into Safe Mode with Networking

Restart the computer and press F8 repeatedly before Windows loads (or use Shift + Restart from the login screen on Windows 10/11, then Troubleshoot → Advanced options → Startup Settings → Restart → press 4 or F4). Safe Mode loads only essential drivers, which often prevents the malware from starting.

03

Open Task Manager and End Suspicious Processes

Press Ctrl+Shift+Esc. Look for unfamiliar processes with random names, especially those running from %AppData%\Roaming or %LocalAppData%. Right-click and choose "End task." Note the file path — you'll need it in a moment. Because AGINGFLY often injects into legitimate processes, you may not see an obvious malicious name. Check for multiple instances of explorer.exe or svchost.exe running under your user account.

04

Delete the Malware Executables

Navigate to the file paths you noted. Common locations include C:\Users\[YourName]\AppData\Roaming\Microsoft\SystemUpdate\, C:\Users\[YourName]\AppData\Local\Temp\, and sometimes C:\ProgramData\. Delete any suspicious .exe or .dll files. You may need to take ownership of the files (right-click → Properties → Security → Advanced) if Windows blocks deletion.

05

Clean the Registry

Press Win+R, type regedit, and press Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to the malware executables. Right-click and delete them. Also check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce and scheduled tasks in Task Scheduler (taskschd.msc).

06

Clear Temporary Files

Press Win+R, type %temp%, and press Enter. Select all files (Ctrl+A) and delete them. Some may be in use and cannot be removed — that's normal. Repeat for C:\Windows\Temp. This removes ephemeral DLLs that AGINGFLY compiles at runtime.

07

Run a Full Scan with Multiple Tools

Download and run Malwarebytes (free trial is sufficient) and ESET Online Scanner or Kaspersky Virus Removal Tool. Run full scans with both. Because AGINGFLY uses runtime compilation, a single antivirus engine may miss components. Update definitions before scanning.

08

Check Browser Extensions and Reset Settings

AGINGFLY can install malicious browser extensions or modify homepage/search settings. Open Chrome, Edge, or Firefox, go to extensions/add-ons, and remove anything unfamiliar. Reset browser settings to default (usually under Settings → Advanced → Reset). Clear cookies and saved passwords, since the keylogger may have captured them.

09

Change All Passwords from a Clean Device

Do not change passwords on the infected machine. Use your phone or a different computer to reset passwords for email, banking, social media, and any other accounts you accessed while infected. Enable two-factor authentication wherever possible.

10

Monitor for Reinfection

Restart the computer normally (not Safe Mode). Watch Task Manager and network activity for a day or two. If you see the same suspicious processes reappear, or if your antivirus flags new threats, the malware may have reinstalled from a backup location or a rootkit component. In that case, professional remediation is the safest path.

Prevention

The best defense is a layered approach. No single tool or habit will stop every threat, but these measures together reduce your risk significantly:

  1. Keep Windows and all software up to date. Enable automatic updates for the operating system, browsers, Office, Java, and Adobe products. Exploit kits often target outdated software.
  2. Use a reputable antivirus with real-time protection. Windows Defender is adequate if kept updated, but consider a third-party solution like ESET, Kaspersky, or Bitdefender for deeper behavioral analysis.
  3. Be skeptical of email attachments and links. Don't open Office documents or executables from unknown senders. Hover over links to check the actual URL before clicking. If an email claims to be from your bank or a shipping company, navigate to their website directly rather than clicking the link.
  4. Disable macros in Office by default. Most legitimate documents don't require macros. If a document prompts you to "enable content" or "enable editing," treat it as suspicious.
  5. Use a standard (non-administrator) account for daily tasks. Malware that runs without admin privileges has a harder time modifying system files or installing persistent backdoors.
  6. Enable a software firewall and consider DNS filtering. Tools like Pi-hole or OpenDNS can block known-bad domains at the network level, preventing C2 connections even if malware reaches your machine.
  7. Back up critical files regularly to an offline or cloud location. If ransomware or a wiper payload hits, you can restore your data without paying a ransom or losing everything.
  8. Educate yourself and your household or employees. Social engineering is the weakest link. A few minutes of training can prevent months of cleanup and recovery.
Our 90-Day Warranty: When we remove malware from your computer, we guarantee it stays gone. If the same threat comes back within 90 days, bring it in and we'll re-clean it at no charge. We stand behind our work — and we'll show you how to keep your system safe going forward.

Bring It In

If you're dealing with AGINGFLY — or any stubborn infection — you don't have to tackle it alone. Manual removal is time-consuming and error-prone, and one missed registry key or hidden DLL can mean the malware comes roaring back. At Computer Repair Roswell, we handle these infections every week. We'll scan your system with professional-grade tools, remove every trace of the threat, recover your files if needed, and patch the vulnerabilities that let it in. We also offer a no-obligation diagnostic, so you'll know exactly what's wrong and what it'll cost before we start work.

Call us at (770) 637-9142 or stop by our shop in Roswell. We're open six days a week, and most malware removals are completed within 24 hours. Bring your machine in and we'll get you back to normal — safely, completely, and with the peace of mind that comes from a 90-day clean-system guarantee.