CERT-UA Impersonation Campaign Spreads AGEWHEEZE Malware in 1 Million Emails
The Computer Emergency Response Team of Ukraine (CERT-UA) disclosed details of a new phishing campaign in which the cybersecurity agency itself impersonated to distribute a remote control tool known as AGEWHEEZE.
As part of the attack, threatening characters, followed by UAC-0255sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Files.fm and urging recipients to install “special software.”
Targets of the campaign include government agencies, medical institutions, security companies, educational institutions, financial institutions, and software development companies. Some emails were sent to the email address “incidents@cert-ua[.]technology.”
The ZIP file (“CERT_UA_protection_tool.zip”) is designed to download malware packaged as security software from the agency. The malware, according to CERT-UA, is a remote access trojan called AGEWHEEZE.
A Go-based malware, AGEWHEEZE communicates with an external server (“54.36.237[.]92”) over WebSockets and supports multiple commands to execute commands, perform file operations, change the clipboard, match the mouse and keyboard, take screenshots, and manage processes and services. It also creates persistence by running a scheduled task, modifying the Windows Registry, or installing itself in the Startup directory.
The attack is considered unsuccessful. “No more than a few infected people’s resources have been identified for employees of educational institutions of various types of ownership,” the agency said. “The group’s experts provided the necessary practical and practical help.”
Analysis of the fake website “cert-ua[.]tech” revealed that it may have been created with the help of artificial intelligence (AI) tools, with the HTML source code including the comment: “С Любовью, КИБЕР СЕРП,” meaning “With Love, CYBER SERP.”
In a post on Telegram, Cyber Serp says that they “operate underground from Ukraine.” The Telegram channel was created in November 2025 and has more than 700 subscribers.
The fearsome actor also claimed that phishing emails were sent to 1 million kr[.]mailboxes as part of the campaign, and that more than 200,000 devices were compromised. “We are not criminals – an ordinary Ukrainian citizen will never suffer for our actions,” the post said.
Last month, Cyber Serp took responsibility for the alleged breach of the Ukrainian cybersecurity company Cypher, saying that it received a complete dump of servers, including the client’s database and the source code of their CIPS product line, among other things.
In a statement on its website, Cipher acknowledged that attackers had breached the privileges of an employee at one of its technology companies but said its infrastructure was working normally. The infected user had access to one project, which did not contain sensitive data, it added.
