Fake CERT-UA emails push AGEWHEEZE in mass Ukraine phishing wave

A CERT-UA spoofing campaign used fake security tools to spread remote access malware to numerous email addresses.

CERT-UA used as a phishing lure

Ukraine’s cyber defenders are warning of a phishing operation that abused the CERT-UA brand to trick people into installing malware disguised as protection software. According to the agency, the activity was tied to UAC-0255 and relied on emails sent on March 26 and 27 to a broad mix of targets, including public sector bodies, healthcare providers, financial institutions, educators, security firms and software companies.

The malicious messages directed victims to a password-protected archive hosted on Files[.]fm and, in some cases, used the address incidents@cert-ua[.]tech to appear legitimate. The fake domain mimicked CERT-UA branding closely enough to reinforce the illusion that recipients were being offered an official defensive utility.

AGEWHEEZE was built for hands-on control

Inside the archive was AGEWHEEZE, a Go-based remote access trojan capable of turning an infected Windows machine into a remotely managed foothold. CERT-UA said the malware communicates with an external server over WebSockets and can execute commands, manipulate files, monitor the clipboard, emulate keyboard and mouse actions, capture screenshots and manage processes and services.

The malware also supports persistence through scheduled tasks, Registry changes or Startup folder placement, giving operators multiple ways to maintain access even after reboot. In practical terms, AGEWHEEZE functions less as a smash-and-grab implant and more as a flexible post-compromise tool suited to sustain surveillance or follow-on intrusion activity.

Big distribution, but with limited impact

While the actor-linked Telegram presence Cyber Serp claimed the campaign reached 1 million ukr.net mailboxes and compromised more than 200,000 devices, CERT-UA’s own assessment was far less dramatic. The agency said it identified only a small number of infected personal devices tied to employees at educational institutions and provided direct response support.

In scenarios like these, the importance of using dedicated security solutions cannot be overstated. Bitdefender Ultimate Security can help defend against phishing-led attacks like this through layered protections that include email scanning, scam detection, malicious download blocking, web protection and behavior-based threat monitoring designed to spot suspicious activity even when malware wears legitimate disguises.