The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a phishing campaign where attackers impersonated the agency to distribute a remote access tool known as AGEWHEEZE. This campaign targeted a wide range of organizations, including state entities, medical centers, educational institutions, and financial companies.
Details of the Campaign
On March 26 and 27, 2026, emails were sent from the address “incidents@cert-ua[.]tech,” containing a password-protected ZIP file named “CERT_UA_protection_tool.zip.” This file was designed to download malware disguised as security software. The malware, identified as AGEWHEEZE, is a Go-based remote access trojan that can execute various commands, manage files, and take screenshots.
Targeted Organizations
The phishing emails were sent to approximately 1 million users of the ukr[.]net email service. The campaign’s targets included state organizations, security firms, educational institutions, and software development companies. Despite the scale of the attack, CERT-UA assessed that it was largely unsuccessful, with only a few personal devices belonging to employees of educational institutions reported as infected.
Technical Aspects of AGEWHEEZE
AGEWHEEZE communicates with an external server over WebSockets and supports a variety of commands, including clipboard modification and process management. The malware also establishes persistence through scheduled tasks and modifications to the Windows Registry.
Threat Actor Insights
The threat actors, identified as UAC-0255, have been linked to a Telegram channel named Cyber Serp, which claims to be composed of cyber operatives from Ukraine. The channel, created in November 2025, has over 700 subscribers. In a post, they stated that they had sent phishing emails to 1 million mailboxes and claimed that over 200,000 devices had been compromised. However, CERT-UA has not confirmed these figures.
In a related incident, Cyber Serp previously claimed responsibility for breaching the Ukrainian cybersecurity firm Cipher, asserting they obtained sensitive data, although Cipher reported that only a single project was affected and that its infrastructure remained operational.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
