The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a new phishing campaign where attackers impersonated CERT-UA to distribute a remote access trojan called AGEWHEEZE.

The campaign, attributed to threat group UAC-0255, involved phishing emails sent on March 26–27, 2026, containing a password-protected ZIP file disguised as a security tool. The archive downloaded malware that allows attackers to execute commands, manage files, capture screenshots, and maintain persistence on infected systems.

The campaign targeted government institutions, medical centers, financial institutions, educational organizations, security companies, and software development firms. Some phishing emails were sent from the address incidents@cert-ua[.]tech.

The malware communicates with a remote server via WebSockets and can maintain persistence through scheduled tasks, registry changes, or startup folder modifications.

Authorities reported that the campaign had limited success, affecting only a small number of personal devices. The operation has been linked to a group calling itself Cyber Serp, which also previously claimed responsibility for a breach of a Ukrainian cybersecurity company.

Reference: CERT IMPERSONATION