Hackers Impersonate Ukraine's CERT to Push AGEWHEEZE RAT

A threat actor tracked as UAC-0255 has been impersonating Ukraine's Computer Emergency Response Team (CERT-UA) to distribute a remote access trojan called AGEWHEEZE, sending phishing emails to an estimated 1 million Ukrainian mailboxes.

CERT-UA disclosed the campaign on April 1, 2026, warning that emails sent March 26-27 posed as legitimate security alerts from the cybersecurity agency itself—a particularly insidious social engineering tactic that exploits institutional trust.

Attack Campaign Details

The phishing emails originated from "incidents@cert-ua[.]tech"—a lookalike domain designed to appear legitimate at first glance. Messages urged recipients to install "specialized software" to protect against cyberattacks, distributing password-protected ZIP archives ("CERT_UA_protection_tool.zip") hosted on Files.fm.

Targets included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies—essentially the full spectrum of Ukrainian critical infrastructure and private sector organizations.

The threat actors behind the campaign, operating under the name "Cyber Serp," claimed via Telegram that the campaign reached 1 million ukr.net mailboxes and compromised more than 200,000 devices. CERT-UA's assessment paints a different picture: "no more than a few infected personal devices belonging to employees of educational institutions" were actually identified.

AGEWHEEZE Malware Capabilities

AGEWHEEZE is a Go-based remote access trojan that communicates with command-and-control servers over WebSockets—a choice that helps evade network monitoring designed to detect more traditional C2 protocols.

The malware supports a wide range of capabilities:

• Command execution on infected systems
• File operations (read, write, delete, exfiltrate)
• Clipboard modification and monitoring
• Mouse and keyboard emulation for remote control
• Screenshot capture
• Process and service management

For persistence, AGEWHEEZE uses multiple fallback mechanisms: scheduled tasks, Windows Registry modification, or adding itself to the Startup directory. This redundancy ensures the malware survives reboots even if one persistence method is discovered and removed.

The C2 server was identified at 54.36.237[.]92, communicating over WebSocket connections.

AI-Generated Infrastructure

Analysis of the fake CERT-UA website revealed telltale signs of AI-assisted creation. The HTML source code included a comment in Russian: "С Любовью, КИБЕР СЕРП" (With Love, CYBER SERP)—essentially a calling card from the threat actors.

This follows a broader pattern of threat actors incorporating AI tools into their operations, similar to the DeepLoad malware campaign that uses AI-generated code obfuscation. While AI isn't making attacks more sophisticated per se, it's lowering the barrier for creating convincing phishing infrastructure.

Attribution and Context

UAC-0255's exact attribution remains unclear, though the campaign's targeting of Ukrainian organizations and Russian-language artifacts suggest either a Russian-aligned group or cybercriminals operating in that space.

The tactic of impersonating national cybersecurity agencies is particularly concerning. When attackers pose as the very organizations tasked with defending against cyber threats, they weaponize the trust that security teams and IT staff need to have in legitimate advisories.

This isn't the first time we've seen impersonation of security organizations—it echoes techniques used by nation-state actors like APT28 who frequently impersonate legitimate services to harvest credentials.

Why This Matters

The campaign's claimed scale—1 million emails—reflects the commoditization of mass phishing operations. Even if CERT-UA's assessment is accurate and actual infections were minimal, the attempt itself demonstrates that no sender identity is sacred to attackers.

For organizations in conflict zones or high-threat environments, this creates a genuine dilemma: how do you maintain trust in legitimate security communications when threat actors are actively impersonating your defenders?

The answer lies in out-of-band verification. Organizations should establish secondary communication channels for critical security alerts and train staff to verify unexpected "urgent" security communications through official channels before taking any action—especially when that action involves downloading and running software.

Indicators of Compromise

Indicator	Type
incidents@cert-ua[.]tech	Email sender
cert-ua[.]tech	Phishing domain
CERT_UA_protection_tool.zip	Malicious file
54.36.237[.]92	C2 server

Recommendations

Organizations concerned about similar impersonation attacks should:

1. Block the known IOCs listed above at email gateways and network perimeters
2. Train staff to verify unexpected security communications through official channels
3. Implement SPF, DKIM, and DMARC to reduce email spoofing risk
4. Monitor for lookalike domains targeting your organization using services like Greyphish

For the latest on cybersecurity threats and threat actor activity, security teams should subscribe to official CERT feeds and verify the authenticity of any urgent communications before acting on them.