THREAT actor UAC-0255 launched a phishing campaign that impersonated CERT-UA to spread the AGEWHEEZE remote access tool, with the operation first observed in late March 2026. The attackers emailed about one million users, claiming that a large‑scale Russian cyberattack was being prepared against Ukrainian critical infrastructure. Recipients were instructed to download a password‑protected ZIP file from Files[.]fm and run the purported security software inside.
AGEWHEEZE is a Go‑based remote access trojan that provides command execution, file management, screen capture, input control and process or service management. It establishes persistence via registry keys, startup folders or scheduled tasks and communicates with its controller at 54.36.237[.]92 over WebSockets. The malware was delivered inside a ZIP named CERT_UA_protection_tool.zip hosted on Files[.]fm, while a counterfeit website cert-ua[.]tech mirrored the genuine CERT-UA portal to lure victims.
No common vulnerabilities and exposures identifiers are associated with this campaign, as the threat relies entirely on social engineering rather than software flaws. Once executed, AGEWHEEZE can enumerate running processes, capture screenshots, log keystrokes and modify system settings to maintain foothold. Analysis of the command‑and‑control traffic shows the use of encrypted WebSocket frames to evade basic network monitoring.
CERT-UA attributed the activity to UAC-0255, a group linked to pro‑Russian interests, and said the campaign was detected on 26 and 27 March 2026. Although the mailing list was large, the agency reported only a handful of infections, mostly on personal devices at educational institutions. The attackers also used the OVH cloud platform to host their command server, with a login page dubbed “The Cult” that contained Russian‑language elements.
Organisations should treat any unexpected email that claims to come from CERT-UA with suspicion, especially when it prompts the download of an archive from a file‑sharing service. Security teams can block connections to Files[.]fm and to the OVH IP address 54.36.237[.]92, while monitoring for unusual WebSocket traffic on non‑standard ports. Users who have already opened the ZIP should run a reputable anti‑malware scan and check for registry entries under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run or similar autorun locations.
Sharing the observed indicators of compromise, such as the ZIP name, the fake domain cert-ua[.]tech and the WebSocket endpoint, with incident‑response peers helps improve detection across the community. Updating email gateway rules to flag messages that contain references to a imminent Russian cyberattack or that use the CERT‑UA branding without proper authentication reduces the chance of future success. Staying vigilant against impersonation tactics remains a key defence as threat actors continue to abuse trusted institutions for malware distribution.