THREAT actor UAC-0255 impersonated CERT-UA in a phishing campaign to spread the AGEWHEEZE remote access tool, sending emails to about 1 million users. The messages urged recipients to download a password-protected archive from Files[.]fm and install a fake “specialized software” that would give attackers control over infected systems.
AGEWHEEZE offers command execution, file management, screen capture, input control and process/service management, and it persists via registry, startup or scheduled tasks while communicating with a server over WebSockets. The attackers also set up a fake website, cert-ua[.]tech, mimicking the real CERT-UA site to promote the malware, and the command server is hosted on OVH with a login page called “The Cult” featuring Russian-language elements, suggesting links to the attackers’ origin.
According to CERT-UA, the campaign targeted government bodies, medical centres, security firms, education and financial organisations, with CERT-UA experts later helping to contain the incident. The advisory notes the fake site references a Telegram channel and attributes the attack to UAC-0255, and the report also observes limited impact, infecting only a few devices in educational institutions.