CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails - The Hacker News

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails Ravie LakshmananApr 01, 2026Email Security / Artificial Intelligence The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Files.fm and urged recipients to install the "specialized software." The targets of the campaign included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. Some of the emails were sent from the email address "incidents@cert-ua[.]tech." The ZIP file ("CERT_UA_protection_tool.zip") is designed to download malware packaged as security software from the agency. The malware, per CERT-UA, is a remote access trojan codenamed AGEWHEEZE.  A Go-based malware, AGEWHEEZE communicates with an external server ("54.36.237[.]92") over WebSockets and supports a wide range of commands to execute commands, perform file operations, modify the clipboard, emulate mouse and keyboard, take screenshots, and manage processes and services. It also creates persistence by using a scheduled task, modifying the Windows Registry, or adding itself to the Startup directory. The attack is assessed to have been largely unsuccessful. "No more than a few infected personal devices belonging to employees of educational institutions of various forms of ownership were identified," the agency said. "The team's specialists provided the necessary methodological and practical assistance." An analysis of the bogus website "cert-ua[.]tech" has revealed that it was likely generated with assistance from artificial intelligence (AI) tools, with the HTML source code also including a comment: "С Любовью, КИБЕР СЕРП," meaning "With Love, CYBER SERP." In posts on Telegram, Cyber Serp claims that they are "cyber-underground operatives from Ukraine." The Telegram channel was created in November 2025 and has more than 700 subscribers. The threat actor also said the phishing emails were sent to 1 million ukr[.]net mailboxes as part of the campaign, and that over 200,000 devices have been compromised. "We are not bandits – the average Ukrainian citizen will never suffer as a result of our actions," it said in a post. Last month, Cyber Serp took responsibility for an alleged breach of Ukrainian cybersecurity company Cipher, stating it obtained a complete dump of the servers, including a client database and source code for their line of CIPS products, among others. In a statement on its website, Cipher acknowledged that attackers compromised the credentials of an employee at one of its technology companies but said its infrastructure was operating normally. The infected user had access to a single project, which did not contain sensitive data, it added. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  artificial intelligence, CERT-UA, cybersecurity, data breach, email security, Malware, Phishing, Remote Access Trojan, Ukraine Trending News Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution The Hidden Security Risks of Shadow AI in Enterprises Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Your MTTD Looks Great. Your Post-Alert Gap Doesn't n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Load More ▼ Popular Resources How to Identify Risky Browser Extensions in Your Organization Automate Alert Triage and Investigations Across Every Threat Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development