Recently, the Computer Emergency Response Team of Ukraine (CERT-UA) revealed a significant phishing campaign that involved attackers impersonating the agency itself. The campaign, which deployed a remote administration tool named AGEWHEEZE, was executed through fake email communications sent on March 26 and 27, 2026. The threat actors identified as UAC-0255 targeted various sectors, including state organizations, healthcare facilities, financial institutions, educational entities, and software developers with emails linking to a password-protected ZIP file.
In an alarming twist, the emails originated from an address mimicking CERT-UA. These communications prompted recipients to download “specialized software” purportedly from the agency. The ZIP file, named “CERT_UA_protection_tool.zip,” was designed to deliver AGEWHEEZE, a Go-based remote access Trojan. This malware establishes a connection to an external server via WebSockets, enabling the execution of multiple commands, including file manipulation, clipboard modification, and capturing user input through screenshots and keystrokes.
The targeted phishing campaign sought to exploit approximately one million ukr[.]net mailboxes, with claims from Cyber Serp, a group behind the attack, indicating that over 200,000 devices had compromised. This statistic, along with assertions that the average citizen in Ukraine would remain unharmed by their actions, underscores a calculated approach to cybersecurity threats in the region.
Despite the elaborate scheme, CERT-UA deemed the attack largely ineffective, estimating that only a handful of personal devices belonging to employees of educational institutions fell victim to the malware. The agency’s specialists provided guidance and support to mitigate potential risks. An analysis of the fraudulent website, “cert-ua[.]tech,” revealed techniques that pointed towards artificial intelligence tools used for its creation, supported by an in-code message reading “С Любовью, КИБЕР СЕРП,” translating to “With Love, CYBER SERP.”
This incident illustrates a clear example of initial access tactics as laid out in the MITRE ATT&CK framework, where adversaries utilize social engineering via phishing to gain entry. Persistence methods may also have been leveraged by embedding the malware within the downloaded ZIP file. The malware’s ability to modify the Windows Registry and establish scheduled tasks further exemplifies potential persistence techniques employed by attackers.
On the international stage, particular attention should be given to the evolving landscape of cyber threats emanating from Ukraine. With groups like Cyber Serp claiming responsibility for high-profile breaches, including an alleged infiltration of Ukrainian cybersecurity firm Cipher, business owners should remain vigilant. Cipher confirmed that an employee’s credentials were compromised but reassured stakeholders that their systems were functioning normally and no sensitive data was exfiltrated.
As cyber threats continue to evolve, understanding the tactics and techniques employed by threat actors is essential for businesses, particularly those operating in vulnerable sectors like finance and healthcare. Maintaining updated cybersecurity protocols and employee training on phishing awareness can deter potential breaches. In an increasingly interconnected digital environment, staying informed about the latest tactics used by adversaries is vital for proactive defense against data breaches.
The Cyber Serp group, operational since late 2025, has drawn considerable attention, raising concerns within the cybersecurity community regarding their capabilities and the reach of their tactics. By closely monitoring these developments, businesses can fortify their defenses against evolving cyber threats.