The Ukrainian Computer Emergency Response Team (CERT-UA) has disclosed a new targeted phishing campaign in which attackers masqueraded as the national cybersecurity agency to distribute the AGEWHEEZE remote access trojan (RAT). The incident illustrates how threat actors increasingly combine brand impersonation, social engineering and artificial intelligence (AI) to make phishing attacks more convincing and harder to detect.
Phishing Emails Spoofing CERT-UA: Attack Chain and Targets
According to CERT-UA, a threat actor tracked as UAC-0255 conducted a coordinated phishing operation on 26–27 March 2026. Emails were crafted to appear as official notifications from CERT-UA, in some cases using a look‑alike sender address such as incidents@cert-ua[.]tech, which imitates the legitimate CERT-UA domain.
Victims were urged to download and install purported “specialized protection software” allegedly issued by CERT-UA. The file was hosted on the cloud storage service Files.fm as a password-protected archive named CERT_UA_protection_tool.zip, a classic tactic to evade automated malware scanning on email and web gateways.
The campaign targeted a broad range of sectors: government agencies, healthcare institutions, security companies, educational organizations, financial institutions and software developers. This mix aligns with both cyberespionage and financially motivated campaigns, where attackers seek access to critical infrastructure as well as monetizable data, credentials and intellectual property.
Inside the ZIP archive, the “protection tool” was in fact the AGEWHEEZE RAT, designed to provide attackers with persistent remote control over compromised endpoints under the guise of legitimate cybersecurity software.
AGEWHEEZE Remote Access Trojan: Capabilities and Persistence
AGEWHEEZE is written in the Go programming language, which is increasingly popular in malware development because it enables cross‑platform binaries, static compilation and relatively large, obfuscated executables that can complicate analysis and detection. Communication with the command‑and‑control (C2) infrastructure occurs over WebSockets to a registered IP address 54.36.237[.]92, providing a continuous bidirectional channel that blends in with legitimate web traffic.
The RAT offers a wide range of functionality typical of modern remote access malware, including:
• Remote command execution: running arbitrary commands on the victim host, enabling data theft, lateral movement and deployment of additional payloads such as ransomware.
• File system operations: uploading, downloading, creating, modifying and deleting files, which supports both espionage and sabotage scenarios.
• Interaction with user input and display: clipboard access, mouse and keyboard emulation, screenshot capture, and management of processes and system services. These capabilities effectively give the attacker “hands-on keyboard” access as if physically present at the machine.
To maintain persistence across reboots, AGEWHEEZE uses multiple mechanisms on Windows systems: creating scheduled tasks via Task Scheduler, modifying relevant Windows Registry keys, and adding itself to startup folders. This layered persistence strategy complicates eradication and aligns with common techniques cataloged in the MITRE ATT&CK framework for long-term access.
Limited Impact but Clear Warning for Organizations
CERT-UA assessed the campaign as only partially successful. Investigators identified a small number of infected personal devices belonging to staff members of educational institutions. Incident responders provided methodological and hands-on support, helping victims contain and remediate the compromise, thereby limiting operational impact.
This outcome underlines the value of rapid incident reporting and coordinated response. Industry studies, such as Verizon’s Data Breach Investigations Report, consistently show that phishing remains one of the primary initial access vectors worldwide, often acting as the first step in multi-stage intrusions involving RATs and ransomware.
AI-Generated Phishing Site and the Rise of “Cyber Serp”
The attackers registered and used a spoofed domain, cert-ua[.]tech, to lend additional legitimacy to the phishing emails. CERT-UA’s analysis suggests that the website’s content was likely generated with AI tools, accelerating the creation of professional‑looking pages that imitate trusted brands and language style.
Within the HTML source code of the fake site, analysts found a Russian-language comment: “С Любовью, КИБЕР СЕРП” (“With love, CYBER SERP”). This string appears to link the campaign to a group calling itself Cyber Serp, which operates a Telegram channel created in November 2025 with more than 700 subscribers at the time of reporting.
Cyber Serp has claimed that this phishing operation sent emails to 1 million ukr[.]net mailboxes and compromised over 200,000 devices. These figures have not been corroborated by CERT-UA and should be treated with caution pending independent verification.
Previously, Cyber Serp publicly took credit for breaching Ukrainian cybersecurity company Cipher, alleging access to server dumps, customer databases and source code for several CIPS products. In an official statement, Cipher confirmed only the compromise of credentials belonging to an employee of a partner technology company. According to Cipher, the affected account had access to a single project that did not contain sensitive data, and the company’s infrastructure continued operating normally.
Defending Against CERT-UA Spoofing, RAT Malware and AI-Driven Phishing
The incident shows how dangerous it can be to trust emails solely based on the apparent sender or brand. To mitigate similar threats, organizations and individual users should adopt a layered defense strategy:
• Verify domains and links: carefully inspect sender domains and URLs, especially when emails urge installation of “security tools” or urgent updates. Directly visit official websites instead of clicking embedded links.
• Harden email security: implement and properly configure SPF, DKIM and DMARC, and deploy anti-phishing and anti-malware gateways to reduce successful delivery of spoofed messages.
• Restrict execution of unknown software: use application control, endpoint protection platforms and group policies to block or sandbox untrusted executables and archives.
• Invest in security awareness training: regularly educate staff on recognizing phishing, brand impersonation and AI-generated content, using realistic simulations and updated examples.
• Monitor for RAT behavior: deploy EDR/XDR solutions capable of detecting anomalous process activity, persistence techniques and suspicious outbound connections, including WebSocket-based C2 channels.
• Maintain backups and incident response plans: ensure resilient, offline backups of critical data and rehearse incident response playbooks that cover RAT containment, forensic analysis and communication.
The AGEWHEEZE campaign against Ukrainian organizations underscores a global trend: attackers are rapidly adopting AI to industrialize phishing and to convincingly spoof trusted cybersecurity brands such as CERT-UA. Continuous user education, robust email and endpoint defenses, and timely threat intelligence sharing are essential for reducing the success rate of such operations and limiting the damage when a remote access trojan does breach the perimeter.
