Cyber Serp Masquerade: Fake CERT-UA Emails Push AGEWHEEZE Malware to a Million Inboxes

April 2, 2026 Faeem BLOGS 0

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a phishing campaign in which attackers impersonated the agency itself to distribute a remote administration tool known as AGEWHEEZE. The operation, attributed to UAC-0255, highlights how threat actors exploit trust in national cybersecurity institutions to deliver malware at scale.

Campaign Details

  • Timeline: March 26–27, 2026.
  • Delivery method: Emails posing as CERT-UA, sent from incidents@cert-ua[.]tech.
  • Payload: Password-protected ZIP archive (“CERT_UA_protection_tool.zip”) hosted on Files.fm.
  • Targets: State organizations, medical centers, security firms, educational institutions, financial institutions, and software developers.

AGEWHEEZE Malware

  • Language: Go-based RAT.
  • Communication: WebSockets to server 54.36.237[.]92.
  • Capabilities:
    • Execute commands.
    • Perform file operations.
    • Modify clipboard.
    • Emulate mouse/keyboard.
    • Take screenshots.
    • Manage processes and services.
  • Persistence: Scheduled tasks, registry modifications, or Startup directory entries.

Impact

CERT-UA assessed the campaign as largely unsuccessful, with only a few personal devices at educational institutions infected. Specialists provided remediation support.

However, the attackers — a group calling itself Cyber Serp — claimed on Telegram that:

  • Emails were sent to 1 million ukr[.]net mailboxes.
  • Over 200,000 devices were compromised.
  • They are “cyber-underground operatives from Ukraine,” insisting ordinary citizens are not their targets.

Wider Context

  • AI-generated infrastructure: The fake CERT-UA website (cert-ua[.]tech) contained HTML comments suggesting AI-assisted creation.
  • Previous activity: Cyber Serp claimed responsibility for breaching Ukrainian cybersecurity company Cipher, allegedly stealing client databases and source code. Cipher later confirmed limited compromise of one employee’s credentials but denied sensitive data exposure.

Defensive Guidance

  • Treat emails claiming to be from CERT-UA with caution.
  • Avoid opening password-protected ZIP archives from unverified sources.
  • Monitor for WebSocket traffic to suspicious IPs.
  • Audit persistence mechanisms (scheduled tasks, registry keys, Startup entries).
  • Educate staff on phishing tactics that exploit trusted institutions.

Final Thought

The impersonation of CERT-UA shows how attackers weaponize trust to spread malware. Even if the campaign’s real-world impact was limited, the scale of attempted distribution — 1 million emails — underscores the importance of vigilance. For defenders, the lesson is clear: verify the sender, scrutinize attachments, and treat “official” emails as potential attack vectors.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.