A pro-Russian hacker group impersonated Ukraine’s CERT-UA in a phishing campaign that urged organizations to download a password-protected archive from Files.fm containing supposed security software. The archive installed a remote administration tool called AgeWheeze that enables full remote control, and attackers claiming to be CyberSerp later boasted of large-scale targeting though CERT-UA reported only a small number of infections. #AgeWheeze #CyberSerp
Keypoints
- Attackers spoofed CERT-UA emails warning of a fake “large-scale cyberattack” to trick recipients into downloading a Files.fm archive.
- The downloaded file deployed AgeWheeze, a remote administration tool with capabilities to execute commands, manage files, stream screens, and emulate input.
- Organizations across government, healthcare, finance, security, education, and software development were targeted.
- CERT-UA reported the campaign was largely unsuccessful, with only a small number of infections mainly on personal devices of education staff.
- CyberSerp later claimed responsibility and posted unverified figures and a Telegram message, while CERT-UA found “From Cyber Serp with Love” in a fake site’s code.
Read More: https://therecord.media/pro-russian-hackers-posing-as-ukrainian-cyber-agency