Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a new phishing campaign impersonating the cybersecurity agency itself to distribute a remote administration tool known as AGEWHEEZE.
As part of the attack, the attacker, tracked as UAC-0255, sent emails impersonating CERT-UA on March 26 and 27, 2026, distributing password-protected ZIP archives hosted on Files.fm and prompting recipients to install “specialized software.”
Targets of the campaign included state agencies, medical centers, security companies, educational institutions, financial institutions, and software development companies. Some emails were sent from the email address ‘incidents@cert-ua’.[.]technology. ”
The ZIP file (“CERT_UA_protection_tool.zip”) is designed to download malware packaged as security software from government agencies. According to CERT-UA, the malware is a remote access Trojan codenamed AGEWHEEZE.
The Go-based malware AGEWHEEZE communicates with an external server (‘54.36.237’).[.]92″) via WebSocket and supports a wide range of commands to run commands, perform file operations, modify the clipboard, emulate the mouse and keyboard, take screenshots, and manage processes and services. It also creates persistence by using scheduled tasks, modifying the Windows registry, or adding itself to the startup directory.
This attack is considered largely unsuccessful. “Only a small number of infected personal devices were identified belonging to employees of educational institutions with a variety of ownership types,” the agency said. “The team’s experts provided the necessary methodological and practical assistance.”
Analysis of fake site “cert-ua”[.]tech” revealed that the file was likely generated with the help of artificial intelligence (AI) tools, and the HTML source code also includes the comment “С Любовью, КИБЕР СЕРП”, which means “With Love, CYBER SERP.”
In a post on Telegram, Cyber Serp claims to be a “Ukrainian cyber underground operative.” The Telegram channel was launched in November 2025 and has over 700 subscribers.
The attacker also said that phishing emails were sent to 1 million people in the UK.[.]Net mailboxes were attacked as part of the campaign, with over 200,000 devices reportedly compromised. “We are not bandits. The average Ukrainian citizen will never suffer for our actions,” he said in the post.
Last month, Cyber Serp took responsibility for an alleged breach against Ukrainian cybersecurity company Cipher, announcing that it had obtained a complete dump of its servers, including client databases and source code for its CIPS product suite.
Cipher acknowledged in a statement on its website that the credentials of an employee at one of its technology companies had been compromised by an attacker, but said its infrastructure was operating normally. Infected users were able to access a single project, but that project did not contain sensitive data.
Source link
