CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

AGEWHEEZE RAT Deployment via CERT-UA Impersonation Campaign Targeting Ukrainian Entities

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A threat actor tracked as UAC-0255 impersonated Ukraine’s CERT-UA to distribute the AGEWHEEZE remote access trojan (RAT) via phishing emails sent to approximately 1 million ukr[.]net mailboxes on March 26–27, 2026. Targets included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. The campaign leveraged a password-protected ZIP archive hosted on Files.fm, containing a decoy CERT-UA-themed installer that delivered AGEWHEEZE, a Go-based RAT with extensive capabilities for remote control and data exfiltration. The attack’s operational impact was assessed as minimal, with only a small number of personal devices at educational institutions compromised. The threat actor, identifying as Cyber Serp on Telegram, claimed broader success, asserting over 200,000 infections and denying civilian targeting. The campaign exploited domains and infrastructure likely generated with AI assistance, reflecting evolving TTPs in Ukrainian cyber operations.

Timeline

  1. 01.04.2026 19:10 1 articles · 4h ago

    AGEWHEEZE RAT Distribution via CERT-UA Impersonation Campaign Targets Ukrainian Entities

    On March 26–27, 2026, a phishing campaign impersonating CERT-UA delivered the AGEWHEEZE remote access trojan to approximately 1 million ukr[.]net mailboxes. The campaign targeted a wide range of Ukrainian organizations and leveraged a password-protected ZIP archive hosted on Files.fm, containing a decoy installer that deployed AGEWHEEZE, a Go-based RAT with WebSocket C2 and extensive system compromise capabilities. The attack infrastructure included the domain cert-ua[.]tech, likely generated with AI assistance, and was attributed to threat actor UAC-0255, associated with a Telegram persona named Cyber Serp.

    Show sources
    Open in new tab

Information Snippets

  • Threat actor UAC-0255 impersonated CERT-UA to distribute a password-protected ZIP archive named "CERT_UA_protection_tool.zip" via phishing emails sent on March 26–27, 2026, to approximately 1 million ukr[.]net mailboxes.

    First reported: 01.04.2026 19:10
    1 source, 1 article
    Show sources

  • The ZIP archive contained an installer for a decoy security tool that delivered AGEWHEEZE, a Go-based remote access trojan (RAT) hosted on external server 54.36.237[.]92.

    First reported: 01.04.2026 19:10
    1 source, 1 article
    Show sources

  • AGEWHEEZE supports remote command execution, file operations, clipboard manipulation, mouse/keyboard emulation, screenshots, process/service management, and persistence via scheduled tasks, Windows Registry modifications, or Startup directory entries.

    First reported: 01.04.2026 19:10
    1 source, 1 article
    Show sources

  • The campaign primarily targeted state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies using email address incidents@cert-ua[.]tech.

    First reported: 01.04.2026 19:10
    1 source, 1 article
    Show sources

  • CERT-UA reported minimal impact, identifying only a few infected personal devices among employees of educational institutions; no sensitive data compromise was confirmed.

    First reported: 01.04.2026 19:10
    1 source, 1 article
    Show sources

  • The phishing domain cert-ua[.]tech showed signs of AI-assisted generation and included a Russian-language comment in its HTML source: "С Любовью, КИБЕР СЕРП," translating to "With Love, CYBER SERP."

    First reported: 01.04.2026 19:10
    1 source, 1 article
    Show sources

  • Cyber Serp, a Telegram channel operator claiming affiliation with "cyber-underground operatives from Ukraine," asserted the campaign sent emails to 1 million ukr[.]net mailboxes and compromised over 200,000 devices, while denying targeting average Ukrainian citizens.

    First reported: 01.04.2026 19:10
    1 source, 1 article
    Show sources

  • Cyber Serp previously claimed responsibility for an alleged breach of Ukrainian cybersecurity firm Cipher in March 2026, asserting access to a complete server dump including client databases and source code for CIPS products; Cipher stated only a single employee’s credentials were compromised and no sensitive data was exposed.

    First reported: 01.04.2026 19:10
    1 source, 1 article
    Show sources