A phishing campaign that impersonated Ukraine’s CERT-UA pushed a password-protected ZIP file carrying the AGEWHEEZE remote access trojan to targets in Ukraine on March 26 and 27, with fewer than a few infected personal devices later identified, according to a CERT-UA disclosure.
KEY FACTS
- Impersonation Emails posed as CERT-UA and urged recipients to install specialized software.
- Targets The campaign hit state bodies, hospitals, security firms, schools, financial institutions and software developers.
- Payload The ZIP file delivered AGEWHEEZE, a Go-based remote access trojan.
- Impact Only a small number of personal devices at educational institutions were found infected.
The messages used the address [email protected] and pointed recipients to a password-protected archive hosted on Files.fm. The archive, named CERT_UA_protection_tool.zip, was designed to download malware packaged as security software.
AGEWHEEZE communicates with an external server over WebSockets and can run commands, move files, change the clipboard, emulate keyboard and mouse input, take screenshots, and manage processes and services. It also uses scheduled tasks, registry changes or the Startup folder to maintain persistence.
CERT-UA said the attack was largely unsuccessful and that its specialists provided methodological and practical assistance to affected users. The fake cert-ua.tech website was also assessed as likely generated with help from AI tools and included a note signed in Russian as “With Love, CYBER SERP.”
The threat group behind the campaign, tracked as UAC-0255, later claimed on Telegram that it sent the phishing emails to 1 million ukr.net mailboxes and compromised more than 200,000 devices. The group has also claimed responsibility for an alleged breach of Ukrainian cybersecurity company Cipher.
WHY IT MATTERS
Impersonation campaigns that borrow the identity of trusted incident response teams can reduce suspicion and widen exposure across public and private organizations. The case also shows how remote access malware can be hidden inside a fake utility and paired with web, email and social channels to reach a broad audience.