The Laptop Emergency Response Workforce of Ukraine (CERT-UA) has disclosed particulars of a brand new phishing marketing campaign wherein the cybersecurity company itself was impersonated to distribute a distant administration instrument often called AGEWHEEZE.
As a part of the assaults, the risk actors, tracked as UAC-0255, despatched emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Recordsdata.fm and urged recipients to put in the “specialised software program.”
The targets of the marketing campaign included state organizations, medical facilities, safety corporations, academic establishments, monetary establishments, and software program growth corporations. A few of the emails have been despatched from the e-mail tackle “incidents@cert-ua[.]tech.”
The ZIP file (“CERT_UA_protection_tool.zip”) is designed to obtain malware packaged as safety software program from the company. The malware, per CERT-UA, is a distant entry trojan codenamed AGEWHEEZE.
A Go-based malware, AGEWHEEZE communicates with an exterior server (“54.36.237[.]92”) over WebSockets and helps a variety of instructions to execute instructions, carry out file operations, modify the clipboard, emulate mouse and keyboard, take screenshots, and handle processes and companies. It additionally creates persistence by utilizing a scheduled job, modifying the Home windows Registry, or including itself to the Startup listing.
The assault is assessed to have been largely unsuccessful. “No various contaminated private units belonging to staff of academic establishments of assorted types of possession have been recognized,” the company stated. “The staff’s specialists supplied the required methodological and sensible help.”
An evaluation of the bogus web site “cert-ua[.]tech” has revealed that it was possible generated with help from synthetic intelligence (AI) instruments, with the HTML supply code additionally together with a remark: “С Любовью, КИБЕР СЕРП,” which means “With Love, CYBER SERP.”
In posts on Telegram, Cyber Serp claims that they’re “cyber-underground operatives from Ukraine.” The Telegram channel was created in November 2025 and has greater than 700 subscribers.
The risk actor additionally stated the phishing emails have been despatched to 1 million ukr[.]web mailboxes as a part of the marketing campaign, and that over 200,000 units have been compromised. “We aren’t bandits – the common Ukrainian citizen won’t ever undergo on account of our actions,” it stated in a submit.
Final month, Cyber Serp took accountability for an alleged breach of Ukrainian cybersecurity firm Cipher, stating it obtained an entire dump of the servers, together with a shopper database and supply code for his or her line of CIPS merchandise, amongst others.
In an announcement on its web site, Cipher acknowledged that attackers compromised the credentials of an worker at considered one of its know-how corporations however stated its infrastructure was working usually. The contaminated person had entry to a single venture, which didn’t include delicate knowledge, it added.
