A recent cyberattack involved the creation of a counterfeit version of Ukraine’s official cybersecurity agency website, aiming to distribute a harmful remote access tool. The operation, identified as UAC-0255, utilized phishing emails and a cloned government site to implant malware in the devices of professionals across various Ukrainian sectors.
Cyberattack Details and Execution
The deceptive campaign occurred on March 26 and 27, 2026, targeting organizations with emails purportedly from CERT-UA, Ukraine’s national computer emergency response team. The emails directed recipients to download a file from Files.fm, misleading them into believing it contained a critical security tool that required immediate installation.
The attackers focused on sectors such as government, healthcare, security, education, finance, and technology. CERT-UA analysts quickly identified the fraud, revealing that the so-called security tool was, in fact, a malicious software package.
Technical Insights into AGEWHEEZE Malware
Inside the downloadable archive was AGEWHEEZE, a sophisticated remote access trojan developed using the Go programming language. The malware’s command-and-control server was traced to an IP address associated with the French company OVH, and the incident was formally recorded under CERT-UA#21075.
To lend credibility to their scheme, the attackers registered the domain cert-ua[.]tech, creating a counterfeit website that imitated CERT-UA’s official site. This fraudulent page included download links and installation instructions, supported by an SSL certificate issued on March 27, 2026, mere hours before the emails circulated.
Implications and Protective Measures
Despite the attack’s sophistication, CERT-UA reported minimal infection, affecting only a limited number of personal devices within educational institutions. The response team acted swiftly to provide technical support and preventive advice to those impacted.
AGEWHEEZE employs several persistence techniques, embedding itself within system files and utilizing registry entries to ensure continued operation post-restart. It communicates with its C2 server through WebSockets, facilitating real-time interaction and offering a wide range of capabilities, from capturing screenshots to executing system commands.
Organizations are urged to deploy application control solutions like SRP or AppLocker to prevent unauthorized software execution. Additionally, reducing the attack surface within networks and exercising caution with unexpected emails claiming to originate from trusted entities is crucial.
For more updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for instant alerts.
