The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE.
As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Files.fm and urged recipients to install the “specialized software.”
The targets of the campaign included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. Some of the emails were sent from the email address “incidents@cert-ua[.]tech.”
The ZIP file (“CERT_UA_protection_tool.zip”) is designed to download malware packaged as security software from the agency. The malware, per CERT-UA, is a remote access trojan codenamed AGEWHEEZE.
A Go-based malware, AGEWHEEZE communicates with an external server (“54.36.237[.]92”) over WebSockets and supports a wide range of commands to execute commands, perform file operations, modify the clipboard, emulate mouse and keyboard, take screenshots, and manage processes and services. It also creates persistence by using a scheduled task, modifying the Windows Registry, or adding itself to the Startup directory.
The attack is assessed to have been largely unsuccessful. “No more than a few infected personal devices belonging to employees of educational institutions of various forms of ownership were identified,” the agency said. “The team’s specialists provided the necessary methodological and practical assistance.”
An analysis of the bogus website “cert-ua[.]tech” has revealed that it was likely generated with assistance from artificial intelligence (AI) tools, with the HTML source code also including a comment: “С Любовью, КИБЕР СЕРП,” meaning “With Love, CYBER SERP.”
In posts on Telegram, Cyber Serp claims that they are “cyber-underground operatives from Ukraine.” The Telegram channel was created in November 2025 and has more than 700 subscribers.
The threat actor also said the phishing emails were sent to 1 million ukr[.]net mailboxes as part of the campaign, and that over 200,000 devices have been compromised. “We are not bandits – the average Ukrainian citizen will never suffer as a result of our actions,” it said in a post.
Last month, Cyber Serp took responsibility for an alleged breach of Ukrainian cybersecurity company Cipher, stating it obtained a complete dump of the servers, including a client database and source code for their line of CIPS products, among others.
In a statement on its website, Cipher acknowledged that attackers compromised the credentials of an employee at one of its technology companies but said its infrastructure was operating normally. The infected user had access to a single project, which did not contain sensitive data, it added.
