An unknown threat actor cloned the CERT-UA website and sent phishing emails distributing a password‑protected archive that installed AGEWHEEZE, a Go‑based remote access trojan. The campaign—claimed by CyberSerp and using OVH‑hosted WebSocket C2 infrastructure—was largely unsuccessful according to CERT‑UA, which published IOCs and mitigation guidance. #CERT-UA #AGEWHEEZE
Keypoints
- Attackers created a convincing fake CERT-UA website and sent emails urging recipients to download a “protection tool” archive.
- The distributed archive contained AGEWHEEZE, a full‑featured RAT written in Go.
- AGEWHEEZE enables screen capture, real‑time input emulation, full file and process control, and persistence via registry, Startup folder, or scheduled tasks.
- Command‑and‑control used WebSocket connections to an OVH‑hosted server with references to “TVisor” and “The Cult,” and the Telegram channel CyberSerp claimed responsibility.
- CERT‑UA tracked the activity as UAC‑0255, reported minimal infections, published indicators of compromise, and recommended AppLocker/Software Restriction Policies and endpoint protections.
Read More: https://thecyberexpress.com/hackers-impersonate-cert-ua-agewheeze-rat/