CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails

Summary

Ukrainian threat actor group UAC-0255 (claiming affiliation with 'Cyber Serp') launched a large-scale phishing campaign on March 26–27, 2026, impersonating CERT-UA to distribute AGEWHEEZE, a Go-based remote access trojan. The malware was packaged in password-protected ZIP files and distributed to approximately 1 million ukr.net mailboxes targeting state organizations, medical centers, and financial institutions. The campaign was largely unsuccessful, with only a handful of infected devices identified among educational institution employees.

Full text

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails Ravie LakshmananApr 01, 2026Email Security / Artificial Intelligence The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Files.fm and urged recipients to install the "specialized software." The targets of the campaign included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. Some of the emails were sent from the email address "incidents@cert-ua[.]tech." The ZIP file ("CERT_UA_protection_tool.zip") is designed to download malware packaged as security software from the agency. The malware, per CERT-UA, is a remote access trojan codenamed AGEWHEEZE. A Go-based malware, AGEWHEEZE communicates with an external server ("54.36.237[.]92") over WebSockets and supports a wide range of commands to execute commands, perform file operations, modify the clipboard, emulate mouse and keyboard, take screenshots, and manage processes and services. It also creates persistence by using a scheduled task, modifying the Windows Registry, or adding itself to the Startup directory. The attack is assessed to have been largely unsuccessful. "No more than a few infected personal devices belonging to employees of educational institutions of various forms of ownership were identified," the agency said. "The team's specialists provided the necessary methodological and practical assistance." An analysis of the bogus website "cert-ua[.]tech" has revealed that it was likely generated with assistance from artificial intelligence (AI) tools, with the HTML source code also including a comment: "С Любовью, КИБЕР СЕРП," meaning "With Love, CYBER SERP." In posts on Telegram, Cyber Serp claims that they are "cyber-underground operatives from Ukraine." The Telegram channel was created in November 2025 and has more than 700 subscribers. The threat actor also said the phishing emails were sent to 1 million ukr[.]net mailboxes as part of the campaign, and that over 200,000 devices have been compromised. "We are not bandits – the average Ukrainian citizen will never suffer as a result of our actions," it said in a post. Last month, Cyber Serp took responsibility for an alleged breach of Ukrainian cybersecurity company Cipher, stating it obtained a complete dump of the servers, including a client database and source code for their line of CIPS products, among others. In a statement on its website, Cipher acknowledged that attackers compromised the credentials of an employee at one of its technology companies but said its infrastructure was operating normally. The infected user had access to a single project, which did not contain sensitive data, it added. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  artificial intelligence, CERT-UA, cybersecurity, data breach, email security, Malware, Phishing, Remote Access Trojan, Ukraine Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• ip — 54.36.237.92
• domain — cert-ua.tech
• malware — AGEWHEEZE
• malware — UAC-0255