CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails Ravie LakshmananApr 01, 2026Email Security / Artificial Intelligence The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Files.fm and urged recipients to install the "specialized software." The targets of the campaign included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. Some of the emails were sent from the email address "incidents@cert-ua[.]tech." The ZIP file ("CERT_UA_protection_tool.zip") is designed to download malware packaged as security software from the agency. The malware, per CERT-UA, is a remote access trojan codenamed AGEWHEEZE.  A Go-based malware, AGEWHEEZE communicates with an external server ("54.36.237[.]92") over WebSockets and supports a wide range of commands to execute commands, perform file operations, modify the clipboard, emulate mouse and keyboard, take screenshots, and manage processes and services. It also creates persistence by using a scheduled task, modifying the Windows Registry, or adding itself to the Startup directory. The attack is assessed to have been largely unsuccessful. "No more than a few infected personal devices belonging to employees of educational institutions of various forms of ownership were identified," the agency said. "The team's specialists provided the necessary methodological and practical assistance." An analysis of the bogus website "cert-ua[.]tech" has revealed that it was likely generated with assistance from artificial intelligence (AI) tools, with the HTML source code also including a comment: "С Любовью, КИБЕР СЕРП," meaning "With Love, CYBER SERP." In posts on Telegram, Cyber Serp claims that they are "cyber-underground operatives from Ukraine." The Telegram channel was created in November 2025 and has more than 700 subscribers. The threat actor also said the phishing emails were sent to 1 million ukr[.]net mailboxes as part of the campaign, and that over 200,000 devices have been compromised. "We are not bandits – the average Ukrainian citizen will never suffer as a result of our actions," it said in a post. Last month, Cyber Serp took responsibility for an alleged breach of Ukrainian cybersecurity company Cipher, stating it obtained a complete dump of the servers, including a client database and source code for their line of CIPS products, among others. In a statement on its website, Cipher acknowledged that attackers compromised the credentials of an employee at one of its technology companies but said its infrastructure was operating normally. The infected user had access to a single project, which did not contain sensitive data, it added. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  artificial intelligence, CERT-UA, cybersecurity, data breach, email security, Malware, Phishing, Remote Access Trojan, Ukraine Trending News Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment Detect AI-Driven Threats Faster With Full Network Visibility [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats