CERT-UA has disclosed a phishing campaign in which the agency itself was impersonated to spread a remote administration tool named AGEWHEEZE. The threat actors, tracked as UAC-0255, sent emails on 26 and 27 March 2026 posing as CERT-UA to push a password-protected ZIP archive hosted on Files[.]fm, urging recipients to install the software.
The ZIP file, titled CERT_UA_protection_tool.zip, purported to be security software and contained the AGEWHEEZE malware, a Go-based remote access Trojan that communicates with an external server at 54.36.237[.]92 over WebSockets and can perform a wide range of commands. CERT-UA said the attack was largely unsuccessful, identifying no more than a few infected personal devices at educational institutions and offering methodological support to mitigate the impact.
The campaign targeted state bodies, medical centres, security firms, educational institutions, financial organisations and software developers, with some emails sent from incidents@cert-ua[.]tech. The threat actor claimed phishing emails were sent to around 1 million ukr[.]net mailboxes and that over 200,000 devices were compromised, according to Cyber Serp on Telegram.
An analysis of the bogus site cert-ua[.]tech suggested AI tools may have aided its creation, and the group also referenced Cyber Serp as cyber-underground operatives from Ukraine.