The Irony of Trust: Analyzing the CERT-UA Impersonation and AGEWHEEZE Malware Campaign

One million emails—a volume that would overwhelm most marketing departments—were dispatched in a single 48-hour window with one goal: to weaponize the very trust users place in national security agencies. On March 26 and 27, 2026, the threat actor group tracked as UAC-0255 launched a massive phishing campaign impersonating the Computer Emergency Response Team of Ukraine (CERT-UA). By masquerading as the nation’s primary cybersecurity defender, the attackers attempted to distribute a sophisticated remote access trojan (RAT) known as AGEWHEEZE.

This incident serves as a stark reminder that in the world of social engineering, the more authoritative the mask, the more dangerous the lure. From a risk perspective, the scale of this operation was breathtaking, yet its actual impact remained curiously limited, highlighting a fascinating tug-of-war between high-volume automation and the resilience of modern defensive perimeters.

The Anatomy of the Phish: A Digital Trojan Horse

The campaign was built on a foundation of deception. Attackers utilized the email address "incidents@cert-ua[.]tech" to send urgent warnings to state organizations, medical centers, and financial institutions. The emails urged recipients to download and install what was described as "specialized software" for protection. In reality, this was a digital Trojan horse.

Behind the scenes, the link led to a password-protected ZIP archive hosted on Files.fm, titled "CERT_UA_protection_tool.zip." By using a password-protected archive, the attackers aimed to bypass automated email scanners that often struggle to inspect encrypted contents. Once a user followed the instructions and executed the file, they weren't installing a security tool; they were handing over the keys to their digital kingdom.

Technical Deep Dive: What is AGEWHEEZE?

At the architectural level, AGEWHEEZE is a Go-based malware designed for comprehensive surveillance and control. Go (or Golang) has become increasingly popular among malware authors because it allows for easy cross-platform compilation and often results in binaries that are difficult for traditional signature-based antivirus tools to parse.

Once active, AGEWHEEZE establishes a persistent foothold. It modifies the Windows Registry, creates scheduled tasks, or drops itself into the Startup directory to ensure it survives a system reboot. Proactively speaking, the malware is built for total dominance. It communicates with a command-and-control (C2) server at "54.36.237[.]92" using WebSockets—a protocol that allows for full-duplex, real-time communication, making the attacker’s control over the infected machine feel instantaneous.

The command set supported by AGEWHEEZE is multifaceted and intrusive:

• System Manipulation: Executing arbitrary commands and managing active processes.
• Data Exfiltration: Performing file operations and modifying clipboard contents.
• Surveillance: Taking screenshots and emulating mouse or keyboard input.

Essentially, an infected device becomes a puppet, with the threat actor pulling the strings from afar.

The AI Connection and the "Cyber Serp" Persona

One of the more nuanced aspects of this campaign is the origin of the infrastructure. Analysis of the bogus "cert-ua[.]tech" website suggests that much of its content and code was generated with the assistance of artificial intelligence. This reflects a growing trend where AI lowers the barrier to entry for creating convincing, localized phishing lures.

Embedded in the HTML source code was a signature: "С Любовью, КИБЕР СЕРП" (With Love, CYBER SERP). This group, which emerged on Telegram in late 2025, claims to be a "cyber-underground" operative unit. While their rhetoric is bold, their technical execution in this specific campaign was somewhat sloppy. Despite sending a million emails, the campaign was largely unsuccessful. CERT-UA reported that only a few personal devices, primarily within educational institutions, were actually compromised.

Why the Campaign Faltered

In practice, why did a million-email blast yield such low results? It likely comes down to the "human firewall" and the maturity of institutional security. Most modern enterprise mail gateways are now trained to flag lookalike domains (like .tech instead of the official .gov.ua). Furthermore, the requirement for a user to manually download a ZIP from a third-party hosting site like Files.fm, enter a password, and run an executable is a high-friction process that many trained employees now recognize as a red flag.

During my time analyzing complex APT attacks, I’ve often seen that the most successful breaches aren't the loudest ones. High-volume campaigns like this often trigger rapid detection precisely because they are so pervasive. A single report from one vigilant user can lead to a blocklist update that neutralizes the entire campaign within minutes.

Lessons and Actionable Takeaways

Notwithstanding the low success rate of this specific attack, the impersonation of a national CERT is a systemic threat that requires a robust response. Organizations must move beyond simple awareness and toward a zero-trust mindset where no communication—even if it appears to come from a trusted authority—is accepted without verification.

What you should do next:

1. Audit Your Mail Filters: Ensure your security gateway is configured to detect and quarantine emails from lookalike domains and those containing links to public file-sharing sites.
2. Verify Out-of-Band: Establish a policy that any "mandatory" security software updates from external agencies must be verified through official, pre-established channels or the agency's primary .gov website.
3. Strengthen Endpoint Protection: Use EDR (Endpoint Detection and Response) tools that monitor for the specific behaviors AGEWHEEZE exhibits, such as unauthorized registry modifications and unusual WebSocket connections to unknown IPs.
4. Educate on the "Lure of Authority": Remind staff that attackers frequently impersonate IT support, HR, or government agencies to create a false sense of urgency.

Ultimately, patching as plugging holes in a ship's hull is only effective if you also keep a sharp lookout for the icebergs. UAC-0255 may have failed this time, but the evolution of AI-assisted phishing means the next mask they wear will likely be even more convincing.

Sources

• CERT-UA Official Incident Reports and Technical Briefings.
• Threat Intelligence Analysis on UAC-0255 and AGEWHEEZE Malware.
• Cybersecurity industry analysis of Go-based Remote Access Trojans.
• Public Telegram archives of the "Cyber Serp" group.