Ukrainian CERT-UA Targeted in Phishing Campaign Distributing AGEWHEEZE Malware
The Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered a sophisticated phishing campaign in which threat actors impersonated the agency to distribute the AGEWHEEZE remote administration trojan. The attacks, attributed to the group UAC-0255, occurred on March 26–27, 2026, targeting state organizations, medical centers, security firms, educational institutions, financial entities, and software developers.
Emails were sent from the spoofed address incidents@cert-ua[.]tech, urging recipients to download a password-protected ZIP file ("CERT_UA_protection_tool.zip") hosted on Files.fm. The archive contained malware disguised as legitimate security software, later identified as AGEWHEEZE, a Go-based remote access trojan (RAT).
AGEWHEEZE establishes communication with a command-and-control server (54.36.237[.]92) via WebSockets and supports extensive malicious functionality, including command execution, file manipulation, clipboard hijacking, input emulation, screenshot capture, and process management. It ensures persistence through scheduled tasks, Windows Registry modifications, or Startup directory entries.
CERT-UA reported the campaign had limited success, with only a few infections detected primarily on personal devices of educational institution employees. The agency provided remediation support to affected parties.
Investigations revealed the fraudulent domain cert-ua[.]tech was likely generated using AI tools, with its HTML source code containing a Russian-language comment: "С Любовью, КИБЕР СЕРП" ("With Love, CYBER SERP"). The threat actor, operating under the alias Cyber Serp, claims to be a Ukrainian "cyber-underground" collective with over 700 Telegram subscribers (channel created in November 2025).
In Telegram posts, Cyber Serp asserted the phishing campaign targeted 1 million ukr[.]net mailboxes, claiming over 200,000 devices were compromised. The group also took responsibility for a February 2026 breach of Ukrainian cybersecurity firm Cipher, alleging access to server dumps, client databases, and source code for its CIPS products. Cipher confirmed the incident but stated the compromised employee had access only to a non-sensitive project, with no impact on its infrastructure.
Source: https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html
CERT-UA cybersecurity rating report: https://www.rankiteo.com/company/cert-ua
"id": "CER1775061546",
"linkid": "cert-ua",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Ukraine',
'name': 'State organizations',
'type': 'Government'},
{'industry': 'Healthcare',
'location': 'Ukraine',
'name': 'Medical centers',
'type': 'Healthcare'},
{'industry': 'Cybersecurity',
'location': 'Ukraine',
'name': 'Security firms',
'type': 'Private Sector'},
{'industry': 'Education',
'location': 'Ukraine',
'name': 'Educational institutions',
'type': 'Education'},
{'industry': 'Finance',
'location': 'Ukraine',
'name': 'Financial entities',
'type': 'Private Sector'},
{'industry': 'Technology',
'location': 'Ukraine',
'name': 'Software developers',
'type': 'Private Sector'},
{'industry': 'Cybersecurity',
'location': 'Ukraine',
'name': 'Cipher',
'type': 'Private Sector'}],
'attack_vector': 'Email (Spoofed Domain)',
'data_breach': {'data_exfiltration': 'Alleged (claimed by threat actor)',
'personally_identifiable_information': 'Potential (due to RAT '
'capabilities)',
'sensitivity_of_data': 'High (PII, proprietary code)',
'type_of_data_compromised': ['Client databases',
'Source code',
'Potentially sensitive project '
'data']},
'date_detected': '2026-03-26',
'description': 'The Computer Emergency Response Team of Ukraine (CERT-UA) '
'uncovered a sophisticated phishing campaign in which threat '
'actors impersonated the agency to distribute the AGEWHEEZE '
'remote administration trojan. The attacks, attributed to the '
'group UAC-0255, targeted state organizations, medical '
'centers, security firms, educational institutions, financial '
'entities, and software developers.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'CERT-UA and targeted entities',
'data_compromised': 'Potential access to sensitive data (e.g., '
'client databases, source code)',
'identity_theft_risk': 'High (due to RAT capabilities)',
'operational_impact': 'Limited success; remediation support '
'provided',
'systems_affected': 'Personal devices of employees (primarily '
'educational institutions)'},
'initial_access_broker': {'backdoors_established': 'AGEWHEEZE RAT '
'(persistence via '
'scheduled '
'tasks/Registry/Startup)',
'data_sold_on_dark_web': 'Alleged (claimed by '
'threat actor)',
'entry_point': 'Phishing email (spoofed CERT-UA '
'domain)',
'high_value_targets': 'State organizations, '
'cybersecurity firms, '
'financial entities'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for heightened awareness of phishing campaigns '
'impersonating official agencies; importance of verifying '
'sender domains and avoiding password-protected archives '
'from untrusted sources.',
'motivation': 'Cyber Espionage, Data Exfiltration',
'post_incident_analysis': {'corrective_actions': ['Block known malicious IPs '
'(e.g., 54.36.237[.]92)',
'Implement DMARC/DKIM/SPF '
'for email authentication',
'Restrict execution of '
'files from untrusted '
'sources'],
'root_causes': ['Lack of email domain verification '
'by recipients',
'Use of password-protected '
'archives to bypass security '
'filters',
'Insufficient employee training on '
'phishing risks']},
'recommendations': ['Implement multi-factor authentication (MFA) for email '
'accounts',
'Educate employees on phishing risks and domain spoofing',
'Monitor for unusual WebSocket traffic to unknown IPs',
'Conduct regular security audits of third-party vendors',
'Enforce strict access controls for sensitive projects'],
'references': [{'source': 'CERT-UA'}, {'source': 'Cyber Serp (Telegram)'}],
'response': {'incident_response_plan_activated': 'Yes (CERT-UA provided '
'remediation support)',
'remediation_measures': 'Remediation support provided to '
'affected parties'},
'stakeholder_advisories': 'CERT-UA issued advisories to targeted sectors; '
'Cipher confirmed limited impact of the February '
'2026 breach.',
'threat_actor': 'UAC-0255 (Cyber Serp)',
'title': 'Ukrainian CERT-UA Targeted in Phishing Campaign Distributing '
'AGEWHEEZE Malware',
'type': 'Phishing Campaign'}