In a concerning cybersecurity development, Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a sophisticated phishing campaign where attackers impersonated the agency itself to distribute malicious software. This campaign highlights how threat actors increasingly exploit trust in official institutions to execute large-scale cyberattacks.
According to CERT-UA, the attackers—identified as UAC-0255—launched the phishing operation on March 26 and 27, 2026. They sent deceptive emails posing as official communications from CERT-UA and encouraged recipients to download what appeared to be a “specialized software” tool. Notably, these emails contained links to a password-protected ZIP archive hosted on Files.fm, making the payload seem more legitimate and secure.
The campaign specifically targeted a wide range of sectors, including government organizations, healthcare institutions, security firms, educational bodies, financial institutions, and software development companies. Moreover, some emails originated from a fraudulent address, “incidents@cert-ua[.]tech,” further strengthening the illusion of authenticity.
Once users downloaded the ZIP file named “CERT_UA_protection_tool.zip,” they unknowingly installed a remote access trojan known as AGEWHEEZE. CERT-UA explained that this malware, developed using the Go programming language, connects to an external server via WebSockets. After infection, it enables attackers to execute commands, manipulate files, capture screenshots, modify clipboard content, and even simulate mouse and keyboard actions. Additionally, the malware ensures persistence by creating scheduled tasks, altering the Windows Registry, or embedding itself in the system’s Startup directory.
However, despite the scale of the operation, the agency reported limited success. “No more than a few infected personal devices belonging to employees of educational institutions of various forms of ownership were identified,” the agency said. “The team’s specialists provided the necessary methodological and practical assistance.” This suggests that early detection and response measures helped minimize the damage.
Further investigation revealed that the fake domain “cert-ua[.]tech” may have been generated using artificial intelligence tools. Interestingly, the site’s HTML code included a message reading, “С Любовью, КИБЕР СЕРП,” meaning “With Love, CYBER SERP,” pointing toward the group behind the attack.
Cyber Serp, a group claiming to be “cyber-underground operatives from Ukraine,” took responsibility via Telegram. The group stated that it sent phishing emails to 1 million ukr[.]net mailboxes and allegedly compromised over 200,000 devices. “We are not bandits – the average Ukrainian citizen will never suffer as a result of our actions,” it said in a post.
Furthermore, Cyber Serp previously claimed involvement in a breach of Cipher, a Ukrainian cybersecurity firm. While Cipher confirmed a credential compromise involving one employee, it clarified that its infrastructure remains secure and no sensitive data was exposed.
Overall, this incident underscores the growing sophistication of phishing attacks and the critical need for vigilance, especially when dealing with seemingly trusted sources.
Recommended Cyber Technology News:
- CleanStart Replaces BusyBox for Secure Container Builds
- Securitas Partners Ambient.ai to Advance AI Security
- ProSight Launches Integrated Risk and Compliance Platform for Financial Institutions
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
