Ukraine's Computer Emergency Response Team (CERT-UA) has disclosed the details of a large-scale phishing campaign in which the agency itself was impersonated by threat actors to deliver a remote administration tool (RAT) known as AGEWHEEZE. The campaign, attributed to the threat cluster UAC-0255, sent over one million malicious emails targeting Ukrainian organizations and individuals.
Campaign Overview
The attackers constructed phishing emails that closely mimicked official CERT-UA communications — using spoofed sender addresses, the CERT-UA logo, and language consistent with real security advisories. Recipients were deceived into believing they were receiving a legitimate cybersecurity notification from Ukraine's national CERT.
| Attribute | Details |
|---|---|
| Threat Actor | UAC-0255 |
| Malware | AGEWHEEZE (Remote Administration Tool) |
| Campaign Volume | 1,000,000+ emails |
| Impersonated Entity | CERT-UA (Ukraine's Computer Emergency Response Team) |
| Targets | Ukrainian government, defense, and private sector organizations |
| Disclosed by | CERT-UA, April 2026 |
What Is AGEWHEEZE?
AGEWHEEZE is a remote administration tool (RAT) used by UAC-0255 in targeted campaigns against Ukrainian organizations. Key capabilities include:
- Full remote desktop control of the compromised host
- Keylogging and credential harvesting
- File system access — upload, download, and deletion
- Screen capture and live session monitoring
- Persistent access via registry run keys and scheduled tasks
- Encrypted C2 communications to evade network detection
AGEWHEEZE is described by CERT-UA as a tool used primarily for intelligence collection and persistent access, consistent with UAC-0255's profile as a cyber-espionage actor targeting Ukrainian government and defense entities.
The Phishing Technique
Email Impersonation
The phishing emails used several tactics to appear legitimate:
From: [email designed to mimic cert.gov.ua domain]
Subject: "Security Advisory — Urgent Action Required"
Body: Ukrainian-language text mimicking CERT-UA advisory format
Attachment: .ZIP file containing AGEWHEEZE loader
Recipients familiar with receiving actual CERT-UA advisories — particularly IT and security staff in Ukrainian organizations — were the most likely targets, as they would be conditioned to act on CERT-UA communications.
Delivery Chain
1. Victim receives email appearing to be from CERT-UA
2. Email contains a .ZIP attachment or a malicious link
3. Opening the attachment extracts an executable or script loader
4. Loader downloads and executes AGEWHEEZE from attacker-controlled server
5. AGEWHEEZE establishes C2 connection and provides full remote access
6. Attacker collects intelligence, steals credentials, pivots laterallyWho Is UAC-0255?
UAC-0255 is a threat cluster tracked by CERT-UA as a persistent actor targeting Ukrainian entities. The group has been active throughout the Russia-Ukraine conflict and conducts:
- Spear-phishing campaigns against government and military targets
- Impersonation of trusted entities (government agencies, security teams)
- Deployment of RATs and information stealers for espionage
- Lateral movement within compromised organizational networks
The scale of this campaign — one million emails — represents a shift to mass phishing targeting a broad audience rather than narrowly targeted spear-phishing, suggesting the group may be attempting to maximize initial access opportunities across Ukraine's wider organizational landscape.
Impact and Risks
Organizations whose staff received and acted on these emails may face:
- Persistent attacker access via AGEWHEEZE backdoors
- Credential theft — domain accounts, email, VPN, and web service passwords
- Sensitive data exfiltration — documents, communications, and strategic materials
- Lateral movement from initial access to deeper network compromise
- Operational disruption if the attacker chooses to deploy destructive payloads after intelligence collection
Detection and Response
Indicators to Watch For
| Indicator Type | Description |
|---|---|
| Suspicious CERT-UA-spoofed sender | Check actual sending domain vs. cert.gov.ua |
| .ZIP attachments from unexpected senders | Treat unsolicited attachments as suspect |
| Unusual outbound connections | AGEWHEEZE C2 traffic to external IPs |
| New persistence mechanisms | Unexpected run keys, scheduled tasks |
| Remote desktop activity | Unexpected RDP or VNC sessions |
Immediate Actions for Affected Organizations
- Isolate any host suspected of running AGEWHEEZE
- Reset credentials for any accounts accessed from the compromised machine
- Review logs for outbound connections to unfamiliar external IPs
- Check persistence locations:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Task Scheduler, Startup folder - Report to CERT-UA via official channels at cert.gov.ua
Email-Level Defenses
- Configure DMARC, DKIM, and SPF to reject spoofed CERT-UA emails
- Add sender verification warnings for emails that fail authentication
- Train staff to verify unexpected "CERT-UA" communications via official channels
- Block execution of files extracted from email attachments (AppLocker/WDAC)
Broader Context
This campaign illustrates a recurring tactic in the ongoing cyber conflict targeting Ukraine: impersonating trusted cybersecurity authorities to weaponize the very trust those organizations depend on. By mimicking CERT-UA — the entity Ukrainians rely on for security guidance — UAC-0255 turns institutional trust into an attack vector.
Security teams in Ukraine and allied nations supporting Ukrainian cyber defense should treat this campaign as an active threat and ensure detection capabilities are updated accordingly.
References
Source: The Hacker News — April 1, 2026