A sophisticated phishing campaign has successfully cloned Ukraine’s official cybersecurity authority website to trick individuals into downloading a dangerous malware known as a remote access trojan (RAT). The threat group, identified as UAC-0255, employed a convincing fake version of CERT-UA’s site to distribute a Go-based RAT, highlighting the persistent threat of state-sponsored cyberattacks and advanced social engineering techniques.
The operation, which targeted government workers, medical professionals, and employees across numerous Ukrainian industries, commenced on March 26 and 27, 2026. Spearheaded by a wave of phishing emails appearing to originate from Ukraine’s national computer emergency response team, CERT-UA, the attackers urged recipients to download a password-protected archive. These archives, disguised as crucial security tools, were allegedly meant for immediate installation, but in reality, contained the malicious AGEWHEEZE.
The targeted sectors were broad, encompassing government agencies, medical centers, critical security firms, educational institutions, vital financial organizations, and influential software development companies. This wide net suggests an intent to cause widespread disruption or gather extensive intelligence.
CERT-UA analysts swiftly identified the deception, confirming that the purported “protection tool” was indeed a malicious payload. The investigation revealed the executable hidden within the downloaded archives to be AGEWHEEZE, a potent remote access trojan meticulously developed using the Go programming language. The group’s command-and-control (C2) server was traced to an OVH-hosted IP address in France, and the incident was formally logged under case reference CERT-UA#21075.
To bolster the credibility of their phishing emails, the attackers registered the domain cert-ua[.]tech. They then meticulously recreated the official CERT-UA website, replicating its layout and content to deceive their targets. The fraudulent site featured identical download links and installation instructions. Notably, the SSL certificate for this imposter site was issued on March 27, 2026, mere hours before the phishing emails were deployed. The fake website was subsequently taken offline shortly after its discovery.
Further investigation into the source code of the cloned website uncovered a message embedded within the HTML: “With Love, CYBER SERP,” alongside a direct link to a Telegram channel. This discovery proved crucial in attributing the attack. On March 28, 2026, the identified group published a post on this very Telegram channel, explicitly claiming responsibility for the operation. This confession removed any ambiguity regarding attribution and solidified the establishment of the UAC-0255 tracking identifier.
Fortunately, CERT-UA reported that the overall attack did not achieve widespread success. A limited number of personal devices belonging to staff members at educational institutions were confirmed to be compromised. The quick response by CERT-UA provided essential technical assistance and practical mitigation guidance to the affected organizations, helping to contain the damage.
How AGEWHEEZE Installs Itself and Stays Hidden
Upon execution by a victim, AGEWHEEZE employs several techniques to establish persistence on the compromised system. It strategically places its executable files within the user’s AppData folder, often utilizing paths like %APPDATA%SysSvcSysSvc.exe or %APPDATA%serviceservice.exe. To ensure its continuous operation even after system reboots, the malware manipulates the Windows Registry by creating entries under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Additionally, it registers scheduled tasks, typically named “SvcHelper” and “CoreService,” designed to automatically launch the malware at startup.
Once these persistence mechanisms are in place, AGEWHEEZE establishes a robust communication channel with its command-and-control server. This connection is made to the IP address 54[.]36.237.92 over port 8443, utilizing WebSockets technology to facilitate real-time, two-way communication between the attacker and the infected machine. This allows for immediate control and data exfiltration.
The AGEWHEEZE malware boasts an extensive array of functionalities, granting its operators significant control over the compromised system. Its capabilities include capturing screenshots of the victim’s screen, simulating mouse clicks and keyboard inputs to remotely control the device, and managing files and directories. It can also list and terminate active processes, control system services, read and write data to the clipboard, open specified URLs, execute arbitrary terminal commands, and even initiate power actions such as shutting down, restarting, or locking the computer.
The C2 management panel used by the threat actors, reportedly named “The Cult,” was protected by an authentication form. Further analysis of the panel’s HTML source code revealed text in Russian, which provides additional clues pointing towards the nationality or affiliation of the group orchestrating this campaign. This linguistic marker, combined with the technical infrastructure, helps security researchers build a more complete profile of the threat actor.
To mitigate the risk of similar attacks, organizations are strongly advised to implement application control policies on all endpoints. Tools such as Windows Software Restriction Policies (SRP) or AppLocker can prevent unauthorized executables from running, thereby blocking the initial infection vector. Reducing the overall attack surface, both at the network perimeter and on individual devices through robust security configurations, is also a critical preventative measure. Furthermore, fostering a culture of cybersecurity awareness among employees is paramount. All employees should be trained to approach any unsolicited email prompting software downloads with extreme caution, particularly when the purported sender is a government entity or a recognized cybersecurity authority.