Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a new phishing campaign that posed to the cybersecurity agency to distribute a remote administration tool called AGEWHEEZE.
As part of the attacks, threat actors were detected UAC-0255Sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Files.fm and urging recipients to install “special software.”
Targets of the campaign included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. Some emails were sent from the email address “incidents@cert-ua”[.]Take.”
The zip file (“CERT_UA_protection_tool.zip”) is designed to download malware packaged as protection software from the agency. According to CERT-UA, the malware is a remote access trojan codenamed AGEWHEEZE.
A Go-based malware, AGEWHEEZE communicates with an external server (“54.36.237″)[.]92”) over WebSocket and supports a wide range of commands to execute commands, perform file operations, modify the clipboard, emulate a mouse and keyboard, take screenshots, and manage processes and services. It also builds persistence by using a scheduled task, modifying the Windows registry, or adding itself to the startup directory.
It is estimated that the attack was largely unsuccessful. “Some infected personal devices belonging to employees of educational institutions of various forms of ownership were not identified,” the agency said. “The team’s experts provided the necessary methodological and practical assistance.”
Analysis of fake website “cert-ua”[.]tech” revealed that it was likely crafted with the assistance of artificial intelligence (AI) tools, with the HTML source code also including a comment: “С Лубовья, Кибер СЕРП,” meaning “With love, Cyber SERP.”
In a post on Telegram, Cyber Serpent claims they are “Ukraine’s cyber-underground operator.” The Telegram channel was created in November 2025 and has over 700 subscribers.
The threat actor also said that phishing emails were sent to 1 million UKRs.[.]Net mailboxes, and over 200,000 devices, have been compromised as part of the campaign. One post said, “We are not bandits – the average Ukrainian citizen will never suffer as a result of our actions.”
Last month, Cyber Serpent claimed responsibility for the alleged breach of Ukrainian cybersecurity company Cipher, saying it had obtained a complete dump of the server, including client databases and source code for a series of Cipher products.
In a statement on its website, Cipher acknowledged that attackers compromised the credentials of an employee at one of its technology companies, but said its infrastructure was operating normally. It said the infected user had access to a single project, which did not contain sensitive data.
