CERT-UA disclosed a phishing campaign that impersonated the agency to distribute a password-protected ZIP hosting a Go-based remote access trojan named AGEWHEEZE. The campaign, attributed to UAC-0255/Cyber Serp, targeted state, medical, educational, financial, security, and software organizations but resulted in limited confirmed infections while the actor claimed larger-scale compromises and posted alleged Cipher data. #AGEWHEEZE #UAC-0255 #CERT-UA #CyberSerp #Cipher
Keypoints
- CERT-UA was impersonated in phishing emails that distributed a password-protected ZIP named βCERT_UA_protection_tool.zipβ.
- The ZIP deployed AGEWHEEZE, a Go-based RAT that communicates over WebSockets with 54.36.237[.]92 and supports broad remote control features.
- AGEWHEEZE implements persistence via scheduled tasks, Registry changes, or Startup folder additions and can perform file ops, screenshots, and input emulation.
- Emails were sent March 26β27, 2026, sometimes from incidents@cert-ua[.]tech and used a fake cert-ua[.]tech site likely generated with AI.
- The campaign targeted multiple sectors but caused few confirmed infections; the actor claimed mass compromise and posted alleged data from Cipher, which reported limited credential exposure.
Read More: https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html