Threat actors impersonated CERT-UA to send phishing emails with AGEWHEEZE malware, tricking victims into installing a fake “security tool.”

A threat actor, tracked as UAC-0255, impersonated CERT-UA in a phishing campaign, sending emails to about 1 million users. The messages urged victims to download a password-protected archive from Files.fm and install a fake “specialized software,” which actually deployed the AGEWHEEZE remote access tool, giving attackers control over infected systems.

“The National Cyber ​​Incident, Cyber ​​Attack, and Cyber ​​Threat Response Team CERT-UA recorded cases of distribution of emails allegedly on behalf of CERT-UA on March 26-27, 2026, urging people to download a password-protected archive (“CERT_UA_protection_tool.zip”, “protection_tool.zip”) from the Files.fm service and install “specialized software”.” reads the advisory published by CERT-UA. “It was found that the executable file that was offered to be installed (internal package name: “/example.com/tvisor/agent”) is a multifunctional software tool for remote computer control, classified by CERT-UA as AGEWHEEZE.”

AGEWHEEZE supports command execution, file management, screen capture, input control, and process/service management. It ensures persistence via registry, startup, or scheduled tasks, installing itself in AppData paths. The malware communicates with its server via WebSockets and can also steal clipboard data, run commands, and control system actions.

The campaign targeted government organizations, medical centers, security companies, educational institutions, financial institutions, software development companies, and others.

The attackers created a fake website (cert-ua[.]tech) mimicking the real CERT-UA site to spread the fake “security tool” that is actually AGEWHEEZE malware. The tool allows remote control of infected systems. CERT-UA experts state that the command server is hosted on OVH infrastructure and includes a login page (“The Cult”) with Russian-language elements, suggesting the attackers’ origin or links.

The fake site cert-ua[.]tech includes links to a Telegram channel claiming responsibility for the attack, confirming attribution to UAC-0255.

The fake site was likely AI-generated and included references to “CYBER SERP,” a group active since late 2025, claiming responsibility. The group says it sent phishing emails to 1 million users and infected over 200,000 devices, though this is unverified.

The campaign had a limited impact, infecting only a few devices in educational institutions. CERT-UA experts helped contain it. The case shows how AI can make cyberattacks easier, and highlights the need to reduce attack surfaces and use security tools like AppLocker and system protections.

Authorities thanked Ukrainian telecom providers for supporting cyber defense efforts and sharing threat information. They also warned that AI is making attacks easier, urging organizations to reduce attack surfaces and strengthen security using system protections and dedicated tools.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Phishing remains one of the most effective tools in the cybercriminal arsenal, especially when threat actors abuse the credibility of trusted institutions and familiar digital services to increase victim interaction. In late March 2026, CERT-UA revealed a phishing campaign tracked as UAC-0255 in which attackers impersonated the agency and attempted to infect organizations across Ukraine’s public and private sectors with the AGEWHEEZE RAT.

Detect UAC-0255 Attacks Covered in CERT-UA#21075

Europol notes that phishing remains the main distribution vector for data-stealing malware, reflecting how email- and URL-driven social engineering remains central to malware delivery. The same pattern is visible across the phishing activity CERT-UA has been documenting against Ukraine throughout 2026. 

Earlier this year, CERT-UA reported a UAC-0190 campaign targeting the Ukrainian Armed Forces with the PLUGGYAPE backdoor, and later disclosed UAC-0252 activity in which emails impersonating central executive authorities and regional administrations lured victims into running SHADOWSNIFF and SALATSTEALER payloads. The latest UAC-0255 attack covered in CERT-UA#21075 alert fits the same broader trend, with threat actors now abusing CERT-UA’s own identity to make the lure more convincing and expand targeting across both public and private sector organizations. 

Register for the SOC Prime Platform to proactively detect UAC-0255 and similar attacks at the earliest stages possible. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with multiple SIEM, EDR, and Data Lake technologies.

Explore Detections

Security experts can also use the “CERT-UA#21075” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes. For more rules to detect adversary-related attacks, cyber defenders can search the Threat Detection Marketplace library using the “UAC-0255” tag.

Cybersecurity professionals can also rely on Uncoder AI to analyze threat intelligence in real time, generate Attack Flows, Sigma rules, simulations and validations, design detections in 56 languages, and create custom agentic workflows. Visit https://socprime.ai/ to learn more.

Analyzing UAC-0255 Attacks Impersonating CERT-UA to Deploy AGEWHEEZE

On March 26–27, 2026, CERT-UA identified a phishing campaign in which attackers impersonated the agency and urged recipients to download password-protected archives from the Files.fm service, including “CERT_UA_protection_tool.zip” and “protection_tool.zip.” The archives contained malicious content presented as specialized software to be installed by targeted organizations. 

Malicious emails were distributed broadly across Ukraine and targeted government organizations, medical centers, security firms, educational institutions, financial organizations, software development companies, and other entities, highlighting the campaign’s reach across both public and private sectors.

​​CERT-UA#21075 alert also details the discovery of the fraudulent website cert-ua[.]tech, which reused materials from the official cert.gov.ua website and included instructions for downloading the fake protection tool. This helped the attackers reinforce the legitimacy of the lure and increase the chances of user interaction by abusing trust in Ukraine’s Computer Emergency Response Team.

The executable offered for installation was determined to be a multifunctional remote access malware strain tracked by CERT-UA as AGEWHEEZE. AGEWHEEZE is a Go-based RAT that supports a broad set of remote administration capabilities. In addition to standard functions such as command execution and file management, the malware can stream screen content, emulate mouse and keyboard input, interact with the clipboard, manage processes and services, and open URLs on the compromised host.

The malware’s command-and-control infrastructure was hosted on the network of French provider OVH (AS16276). On port 8443/tcp, researchers observed a web page titled “The Cult” containing an authentication form, while the HTML source included russian-language strings noting about blocked access to the service. CERT-UA also found that the associated self-signed SSL certificate had been created on March 18, 2026, and that the Organization field contained the value “TVisor.”

During a review of the AI-generated cert-ua[.]tech website, CERT-UA found embedded references to the CyberSerp Telegram channel, including the phrase “With Love, CYBER SERP.” On March 28, 2026, the same Telegram channel publicly claimed responsibility for the attack, helping remove uncertainty around the technical attribution. Based on these findings, CERT-UA assigned the activity the identifier UAC-0255.

Despite the breadth of targeting, CERT-UA assessed the attack as unsuccessful. Investigators identified only several infected personal devices belonging to employees of educational institutions, and the response team provided the necessary practical and methodological assistance. 

MITRE ATT&CK Context

Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0255 phishing campaign impersonating CERT-UA. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques.

The post UAC-0255 Attack Detection: Threat Actors Impersonate CERT-UA to Infect Ukrainian Public and Private Sector Organizations With AGEWHEEZE RAT appeared first on SOC Prime.

Ukraine's frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. The Computer Emergency Response Team of Ukraine, CERT-UA, disclosed on Sunday, that between March 26 and 27, attackers distributed emails falsely attributed to CERT-UA, urging recipients to download a password-protected archive named either "CERT_UA_protection_tool.zip" or "protection_tool.zip". The file was made available for download from Files.fm file-sharing service and installed what the messages described as specialized protective software. The phishing emails were targeted at a broad cross-section of Ukrainian institutions including government organizations, medical centers, security companies, educational institutions, financial institutions and software development firms. Supporting the phishing campaign, attackers had registered and populated a counterfeit website at cert-ua[.]tech — a domain created on March 27, just one day into the distribution window. The look-a-like website had content lifted directly from the official CERT-UA website at cert[.]gov[.]ua, alongside fabricated instructions for downloading the malicious "protection tool." The executable file inside those archives was not protective software. CERT-UA classified it as AGEWHEEZE, a full-featured Remote Access Trojan (RAT) written in the Go programming language. A RAT is malware that gives an attacker complete remote control over an infected machine: not just file access, but live screen viewing, keyboard and mouse emulation, command execution, process and service management, clipboard reading and writing, and the ability to shut down, restart, or lock the device entirely. AGEWHEEZE's command set is exhaustive and purpose-built for persistent, covert control. It supports screen capture and real-time input emulation, full file system operations including read, write, delete, rename, and directory creation, process killing, service control, autorun management, terminal access, and the ability to open arbitrary URLs on the victim machine. AGEWHEEZE establishes persistence through the Windows registry startup key, the Startup directory, or a scheduled task, creating entries named "SvcHelper" or "CoreService" depending on the infection path. All communications to its command-and-control server route over WebSocket connections to a server hosted on infrastructure belonging to French cloud provider OVH. That command-and-control server carried its own revealing details. On port 8443, a web page titled "The Cult" displayed an authentication form. Buried in the HTML source of that page, investigators found Russian-language text reading: "Membership suspended. Your access to the Cult has been blocked. Contact the administrator to restore it." The self-signed SSL certificate on the server was created on March 18, with "TVisor" listed in the Organization field, matching the internal package name found inside the malware itself: "/example.com/tvisor/agent. Attribution arrived quickly and from the attackers themselves. A review of the AI-generated fake website at cert-ua[.]tech uncovered a line embedded in the HTML code reading: "With Love, CYBER SERP — https://t[.]me/CyberSerp_Official." [caption id="attachment_110836" align="aligncenter" width="600"] Fake website and HTML code embedding CyberSerp details. (Source: CERT-UA)[/caption] On March 28, the day after the campaign launched, the Telegram channel referenced in that code published a message claiming responsibility for the attack, eliminating any ambiguity about attribution. CERT-UA created the tracking identifier UAC-0255 for this activity. The agency assessed the cyberattack as "unsuccessful." No more than a few personal devices belonging to employees of educational institutions were identified as infected. CERT-UA said its specialists provided methodological and practical assistance to affected parties, and acknowledged Ukrainian electronic communications providers for their contribution to delivering cyber threat information to subscribers and maintaining national cyber incident response infrastructure. CERT-UA itself has previously documented campaigns by multiple threat groups — including UAC-0002, UAC-0035, and the group tracked here as UAC-0252 — that similarly weaponize government branding. In this case, the attackers targeted the cyber defense agency whose name carries the highest authority in Ukrainian information security communications, turning that trust directly against the institutions that rely on it. CERT-UA noted that the development of artificial intelligence significantly simplifies the execution of cyber threats. The attackers' own use of an AI-generated phishing site is a direct illustration of that warning, the cyber defense agency explained. It recommended that organizations reduce their attack surface by configuring standard operating system protections including Software Restriction Policies and AppLocker, and deploying specialized endpoint protection tools. Full indicators of compromise including file hashes, network indicators, and host-based artifacts are available in the CERT-UA advisory.

Also read: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports