UAC-0255 CERT-UA impersonation phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The UAC-0255 phishing campaign impersonated CERT-UA to deliver a password-protected ZIP archive and trick recipients into installing AGEWHEEZE. The operation ran on March 26-27, 2026 and used Files.fm plus the CERT_UA_protection_tool.zip lure. It targeted state, medical, security, educational, financial, and software development organizations. The campaign was assessed as largely unsuccessful, although a few employee devices at educational institutions were infected.
Related Happenings
UAC-0247 phishing-led malware campaign targeting Ukrainian government and healthcare institutions
Campaign
First: 16.04.2026 09:20
Last: 16.04.2026 09:20
Sources 1
About this happening:
A **March-April 2026** **UAC-0247** phishing campaign targeted **Ukrainian government** and **municipal healthcare organizations**, using **malware delivery** to steal data from *...
UAC-0247 phishing-led malware campaign targeting Ukrainian government and healthcare institutions
CampaignAbout this happening: A **March-April 2026** **UAC-0247** phishing campaign targeted **Ukrainian government** and **municipal healthcare organizations**, using **malware delivery** to steal data from *...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware Activity
First: 16.04.2026 00:57
Last: 16.04.2026 00:57
Sources 1
About this happening:
The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
AgingFly malware attacks local governments and hospitals in Ukraine
Malware ActivityAbout this happening: The **AgingFly** malware is now being deployed against **local governments and hospitals** in **Ukraine**, where it steals browser and WhatsApp authentication data and enables dee...
AGEWHEEZE remote access trojan activity
Malware Activity
First: 01.04.2026 19:10
Last: 01.04.2026 19:10
Sources 1
How related:
The malware, per CERT-UA, is a remote access trojan codenamed AGEWHEEZE.
About this happening:
CERT-UA disclosed **AGEWHEEZE**, a **remote access trojan** delivered through a **password-protected ZIP** that enabled remote control over infected devices. The malware was sprea...
AGEWHEEZE remote access trojan activity
Malware ActivityHow related: The malware, per CERT-UA, is a remote access trojan codenamed AGEWHEEZE.
About this happening: CERT-UA disclosed **AGEWHEEZE**, a **remote access trojan** delivered through a **password-protected ZIP** that enabled remote control over infected devices. The malware was sprea...
UAC-0050 spear-phishing campaign targeting European financial institutions
Campaign
First: 24.02.2026 16:21
Last: 24.02.2026 16:21
Sources 1
About this happening:
The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
UAC-0050 spear-phishing campaign targeting European financial institutions
CampaignAbout this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
Microsoft Office actively exploited security feature bypass (CVE-2026-21509)
Vulnerability
First: 27.01.2026 09:19
Last: 27.01.2026 09:19
Sources 1
About this happening:
**CVE-2026-21509** is a **7.8 CVSS** Microsoft Office **security feature bypass** that was **actively exploited** to bypass **OLE mitigations** and deliver malicious Office files....
Microsoft Office actively exploited security feature bypass (CVE-2026-21509)
VulnerabilityAbout this happening: **CVE-2026-21509** is a **7.8 CVSS** Microsoft Office **security feature bypass** that was **actively exploited** to bypass **OLE mitigations** and deliver malicious Office files....
Timeline
-
01.04.2026 19:10 2 articles · 1mo ago
CERT-UA discloses impersonation phishing campaign
Initial DisclosureCERT-UA disclosed a phishing campaign attributed to UAC-0255 that impersonated the agency to distribute the Go-based remote access trojan AGEWHEEZE through a password-protected ZIP archive hosted on Files.fm. The lure used the filename CERT_UA_protection_tool.zip, some messages came from incidents@cert-ua[.]tech, and the campaign targeted state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. CERT-UA assessed the operation as largely unsuccessful, saying only a few infected employee devices at educational institutions were identified.
Show sources
- CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails — thehackernews.com — 01.04.2026 19:10
- CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails — thehackernews.com — 01.04.2026 19:10