Cybercriminals Impersonate CERT-UA to Distribute AGEWHEEZE Malware in Massive Phishing Campaign
In a recent cybersecurity incident, the Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered a sophisticated phishing campaign where attackers impersonated the agency to disseminate a remote access trojan (RAT) known as AGEWHEEZE. This operation, attributed to the threat actor group UAC-0255, targeted a wide array of organizations, including state institutions, medical centers, security firms, educational bodies, financial entities, and software development companies.
Phishing Tactics and Malware Deployment
On March 26 and 27, 2026, UAC-0255 initiated the campaign by sending emails that appeared to originate from CERT-UA. These emails, some dispatched from the address incidents@cert-ua[.]tech, urged recipients to install a specialized software by downloading a password-protected ZIP archive hosted on Files.fm. The archive, labeled CERT_UA_protection_tool.zip, contained the AGEWHEEZE malware, masquerading as legitimate security software.
AGEWHEEZE: A Multifunctional Remote Access Trojan
AGEWHEEZE is a Go-based RAT that establishes communication with an external server at 54.36.237[.]92 via WebSockets. It offers a comprehensive suite of capabilities, including:
– Executing system commands
– Performing file operations
– Modifying clipboard contents
– Emulating mouse and keyboard inputs
– Capturing screenshots
– Managing processes and services
To maintain persistence on infected systems, AGEWHEEZE employs methods such as creating scheduled tasks, altering Windows Registry entries, or adding itself to the Startup directory.
Impact and Response
Despite the extensive reach of the phishing campaign, its success was limited. CERT-UA reported that only a few personal devices belonging to employees of various educational institutions were compromised. The agency provided the necessary methodological and practical assistance to address these infections.
Artificial Intelligence in Cyber Deception
An analysis of the fraudulent website cert-ua[.]tech revealed that it was likely generated using artificial intelligence tools. The HTML source code included a comment in Russian: С Любовью, КИБЕР СЕРП, translating to With Love, CYBER SERP.
CYBER SERP, a group claiming to be cyber-underground operatives from Ukraine, has been active since November 2025 and boasts over 700 subscribers on its Telegram channel. The group claimed responsibility for sending phishing emails to one million ukr[.]net mailboxes, asserting that over 200,000 devices were compromised. They stated, We are not bandits – the average Ukrainian citizen will never suffer as a result of our actions.
Previous Cyber Activities by CYBER SERP
In March 2026, CYBER SERP claimed to have breached Ukrainian cybersecurity company Cipher, allegedly obtaining a complete dump of the servers, including client databases and source code for their CIPS products.
Broader Context of Cyber Threats in Ukraine
This incident is part of a series of cyber threats targeting Ukrainian entities. In July 2025, CERT-UA reported a phishing campaign delivering the LAMEHUG malware, linked to the Russian state-sponsored group APT28. The malware utilized large language models to generate commands based on textual descriptions, showcasing the evolving sophistication of cyber attacks.
Additionally, in January 2025, CERT-UA warned of cyber scams involving fake AnyDesk requests for fraudulent security audits. Attackers impersonated the agency, attempting to gain remote access to systems under the guise of conducting security assessments.
Conclusion
The impersonation of CERT-UA to distribute AGEWHEEZE malware underscores the persistent and evolving cyber threats facing organizations. It highlights the importance of vigilance, robust cybersecurity measures, and the need for continuous education to recognize and mitigate phishing attempts.
