Quick Takeaways
- CERT-UA uncovered a phishing campaign impersonating the agency to distribute malware called AGEWHEEZE, targeting Ukrainian institutions.
- The attack involved sending malicious ZIP files (“CERT_UA_protection_tool.zip”) with remote access Trojans designed to compromise devices.
- The campaign was largely unsuccessful, infecting only a small number of personal devices, with CERT-UA providing support to mitigate impacts.
- The fake website used in the attack was likely AI-generated, and the threat actor, Cyber Serp, claims to be Ukrainian cyber-operatives targeting over a million mailboxes.
Impersonation Campaign Targets Ukrainian Institutions
Cybersecurity officials in Ukraine recently uncovered a sophisticated phishing campaign. This attack involved impersonating the Ukraine Computer Emergency Response Team (CERT-UA) to spread malicious software. Threat actors, identified as UAC-0255, sent emails on March 26 and 27, 2026. These emails appeared to come from CERT-UA, but they actually aimed to deceive recipients. The messages contained a password-protected ZIP file hosted on Files.fm, labeled “CERT_UA_protection_tool.zip.” The goal was to persuade people to install what seemed like security software. Targets included government agencies, hospitals, security firms, schools, banks, and tech companies. Some emails used the address “incidents@cert-ua[.]tech.” The campaign’s reach was significant, with over one million email addresses receiving the messages. Despite the large scale, only a few personal devices were affected. Cyber experts noted that the campaign’s success was limited, as most attempts failed to spread infections widely.
Malware Program Uses Artificial Intelligence and Steps to Avoid Detection
The malicious ZIP files contained malware called AGEWHEEZE, a remote access trojan (RAT). This malware, written in Go, could connect to an external server over WebSockets. It supported many commands, allowing hackers to control infected computers remotely. These included tasks like executing commands, managing files, copying data to the clipboard, taking screenshots, and controlling mouse and keyboard actions. AGEWHEEZE also created ways to stay active on infected devices by adding itself to the startup and modifying Windows Registry entries. Interestingly, investigators discovered that the fake website used in the campaign, “cert-ua[.]tech,” was likely generated with the help of artificial intelligence tools. The website’s HTML source code even included the phrase “With Love, CYBER SERP,” suggesting a connection to cyber underground groups. Although the attack caused limited damage, it highlights ongoing risks and the importance of strong email security measures.
Stay Ahead with the Latest Tech Trends
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Discover archived knowledge and digital history on the Internet Archive.
DataProtection-V1
