The Laptop Emergency Response Crew of Ukraine (CERT-UA) has disclosed particulars of a brand new phishing marketing campaign by which the cybersecurity company itself was impersonated to distribute a distant administration software generally known as AGEWHEEZE.
As a part of the assaults, the menace actors, tracked as UAC-0255, despatched emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Information.fm and urged recipients to put in the “specialised software program.”
The targets of the marketing campaign included state organizations, medical facilities, safety corporations, instructional establishments, monetary establishments, and software program improvement corporations. A few of the emails have been despatched from the e-mail tackle “incidents@cert-ua[.]tech.”
The ZIP file (“CERT_UA_protection_tool.zip”) is designed to obtain malware packaged as safety software program from the company. The malware, per CERT-UA, is a distant entry trojan codenamed AGEWHEEZE.
A Go-based malware, AGEWHEEZE communicates with an exterior server (“54.36.237[.]92”) over WebSockets and helps a variety of instructions to execute instructions, carry out file operations, modify the clipboard, emulate mouse and keyboard, take screenshots, and handle processes and providers. It additionally creates persistence through the use of a scheduled activity, modifying the Home windows Registry, or including itself to the Startup listing.
The assault is assessed to have been largely unsuccessful. “No various contaminated private units belonging to workers of instructional establishments of assorted types of possession have been recognized,” the company mentioned. “The group’s specialists offered the mandatory methodological and sensible help.”
An evaluation of the bogus web site “cert-ua[.]tech” has revealed that it was seemingly generated with help from synthetic intelligence (AI) instruments, with the HTML supply code additionally together with a remark: “С Любовью, КИБЕР СЕРП,” that means “With Love, CYBER SERP.”
In posts on Telegram, Cyber Serp claims that they’re “cyber-underground operatives from Ukraine.” The Telegram channel was created in November 2025 and has greater than 700 subscribers.
The menace actor additionally mentioned the phishing emails have been despatched to 1 million ukr[.]web mailboxes as a part of the marketing campaign, and that over 200,000 units have been compromised. “We’re not bandits – the common Ukrainian citizen won’t ever undergo because of our actions,” it mentioned in a put up.
Final month, Cyber Serp took duty for an alleged breach of Ukrainian cybersecurity firm Cipher, stating it obtained a whole dump of the servers, together with a shopper database and supply code for his or her line of CIPS merchandise, amongst others.
In a press release on its web site, Cipher acknowledged that attackers compromised the credentials of an worker at considered one of its know-how corporations however mentioned its infrastructure was working usually. The contaminated consumer had entry to a single undertaking, which didn’t comprise delicate information, it added.
