Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive
Analysis Summary
# Incident Report: CERT-UA Impersonation and AGEWHEEZE Malware Campaign
## Executive Summary
In late March 2026, the threat actor UAC-0255 (self-identified as "Cyber Serp") launched a massive phishing campaign impersonating the Computer Emergency Response Team of Ukraine (CERT-UA). The attack targeted approximately 1 million email addresses with a password-protected ZIP archive containing "AGEWHEEZE," a Go-based Remote Access Trojan (RAT). While the threat actor claimed widespread success, official investigations suggest the impact was limited primarily to a small number of personal devices within educational institutions.
## Incident Details
- **Discovery Date:** Late March/Early April 2026
- **Incident Date:** March 26 – March 27, 2026
- **Affected Organization:** Multiple (State organizations, medical, education, finance, software dev)
- **Sector:** Cross-sector (Public and Private)
- **Geography:** Ukraine
## Timeline of Events
### Initial Access
- **Date/Time:** March 26-27, 2026
- **Vector:** Phishing via Email
- **Details:** Attackers sent emails from "incidents@cert-ua[.]tech" posing as CERT-UA. The emails urged recipients to download a "specialized software" package for protection, hosted on Files.fm.
### Lateral Movement
- **Details:** While the malware (AGEWHEEZE) provides full remote control capabilities, specific lateral movement techniques within targeted networks were not detailed in the public report, as the campaign largely infected isolated personal devices.
### Data Exfiltration/Impact
- **Details:** The threat actor claimed to have compromised 200,000 devices and previously breached the firm "Cipher," claiming to have dumped client databases and source code. However, CERT-UA verified only a few infections on personal devices.
### Detection & Response
- **How it was discovered:** Discovered by CERT-UA through monitoring of impersonation attempts and analysis of the "cert-ua[.]tech" domain.
- **Response actions taken:** CERT-UA issued a public disclosure, analyzed the malware, and provided methodological assistance to affected educational institutions.
## Attack Methodology
- **Initial Access:** Phishing (Impersonation of a trusted government entity).
- **Persistence:** Created scheduled tasks, modified Windows Registry, or added files to the Startup directory.
- **Defense Evasion:** Use of password-protected ZIP archives to bypass email gateway scanners; use of a look-alike domain (cert-ua[.]tech) and AI-generated web content.
- **Discovery:** The malware performs process and service discovery on the local machine.
- **Lateral Movement:** Capabilities included mouse/keyboard emulation and command execution.
- **Collection:** Clipboard modification, screenshot capture, and file operation capabilities.
- **Exfiltration:** Data sent to C2 via WebSockets.
- **Impact:** Full remote administrative control of the infected host.
## Impact Assessment
- **Financial:** Undisclosed; likely minimal due to low corporate infection rate.
- **Data Breach:** Compromise of an employee credential at "Cipher" led to a single-project leak (non-sensitive). Claimed breach of 200k devices is unsubstantiated.
- **Operational:** Minimal disruption reported; localized to personal devices in the education sector.
- **Reputational:** High attempts at brand damage by impersonating a National CERT to erode trust in official security communications.
## Indicators of Compromise
- **Network Indicators:**
- 54.36.237[.]92 (C2 Server)
- cert-ua[.]tech (Phishing domain)
- incidents@cert-ua[.]tech (Sender email)
- **File Indicators:**
- CERT_UA_protection_tool.zip (Malware archive)
- AGEWHEEZE (Go-based RAT)
- **Behavioral Indicators:**
- WebSocket communication to unrecognized external IPs.
- Unexpected scheduled tasks or registry modifications pointing to user-profile executables.
## Response Actions
- **Containment:** Blocking of the malicious domain and C2 IP at the national/ISP level where possible.
- **Eradication:** Removal of the AGEWHEEZE malware and associated persistence mechanisms on identified infected devices.
- **Recovery:** Restoration of devices and provision of security guidance to affected users.
## Lessons Learned
- **Trust as a Weapon:** Threat actors are increasingly leveraging the "Trusted Provider" paradox, where they impersonate the very agencies meant to protect users.
- **AI in Phishing:** The use of AI to generate HTML and content for phishing sites allows for faster, more professional-looking lures.
- **Validation of Claims:** Threat actor claims in Telegram channels (e.g., "200,000 devices") often represent hyperbole intended for psychological impact rather than technical reality.
## Recommendations
- **Domain Monitoring:** Organizations should monitor for typosquatting/look-alike domains of key partners and government agencies.
- **Email Filtering:** Implement rules to flag or block password-protected ZIP files from external sources if not part of standard business workflow.
- **Zero Trust:** Reinforce that official agencies (like CERT-UA) will rarely ask users to download "protection tools" via a generic file-sharing link (Files.fm).
- **Endpoint Protection:** Utilize EDR solutions capable of detecting Go-based malware and unusual WebSocket traffic.