Ethical Hacking News
A new phishing campaign has emerged, impersonating CERT-UA to distribute malicious malware, compromising over 1 million email recipients. In this article, we delve into the details of this campaign, exploring its modus operandi, the malware involved, and the implications of such an attack.
The threat actor group UAC-0255 launched a sophisticated phishing campaign impersonating CERT-UA, targeting over 1 million email recipients. The phishing campaign began on March 26 and 27, 2026, with emails sent to various organizations and individuals. The malware involved was AGEWHEEZE, a remote access trojan (RAT) designed to grant unauthorized access to infected devices. The attackers used AI tools to create a bogus website and Telegram channel to promote their campaign. Only a few infected personal devices were identified as being compromised, suggesting the attack may not have been entirely successful.
The world of cybersecurity is a cat-and-mouse game, where threat actors constantly evolve and adapt their tactics to outsmart security measures. Recently, the Computer Emergency Response Team of Ukraine (CERT-UA) has shed light on a sophisticated phishing campaign that managed to impersonate itself, thereby spreading malicious malware to over 1 million email recipients. In this article, we will delve into the details of this campaign, exploring its modus operandi, the malware involved, and the implications of such an attack.
The phishing campaign, attributed to the threat actor group UAC-0255, began on March 26 and 27, 2026, with emails sent to a broad range of targets, including state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. The emails were designed to appear as if they originated from CERT-UA, with the aim of tricking recipients into installing a password-protected ZIP archive hosted on Files.fm.
Upon opening the attachment, the recipient would download the malware package, which was disguised as security software. However, unbeknownst to the victim, this was merely a Trojan horse for AGEWHEEZE, a remote access trojan (RAT) designed to grant unauthorized access to infected devices.
AGEWHEEZE is a Go-based malware that communicates with an external server ("54.36.237[.]92") over WebSockets and supports a wide range of commands, including the ability to execute arbitrary code, perform file operations, modify the clipboard, emulate mouse and keyboard inputs, take screenshots, manage processes and services, create persistence by using scheduled tasks, modifying the Windows Registry, or adding itself to the Startup directory.
The attackers' use of artificial intelligence (AI) tools is evident in their creation of a bogus website "cert-ua[.]tech," which included a comment stating "С Любовью, КИБЕР СЕРП" – roughly translating to "With Love, CYBER SERP." This suggests that the threat actor group, Cyber Serp, has a penchant for using AI-generated content in their phishing campaigns.
Furthermore, an analysis of the Telegram channel belonging to Cyber Serp reveals that it was created in November 2025 and boasts over 700 subscribers. The channel's posts have revealed that the attackers are claiming to be "cyber-underground operatives from Ukraine," which raises questions about their true intentions and affiliations.
It is worth noting that, despite the attackers' claims, only a few infected personal devices belonging to employees of educational institutions were identified as being compromised. This suggests that the attack may not have been entirely successful, possibly due to the limited scope of the phishing campaign or the effectiveness of certain security measures employed by the targeted organizations.
In conclusion, this recent phishing campaign serves as a stark reminder of the ever-evolving nature of advanced threats and the importance of vigilance in cybersecurity. By impersonating itself and leveraging AI tools, Cyber Serp has demonstrated an unprecedented level of sophistication in their attack tactics. As threat actors continue to adapt and innovate, it is essential for organizations to stay ahead of the curve by implementing robust security measures and staying informed about emerging threats.
A new phishing campaign has emerged, impersonating CERT-UA to distribute malicious malware, compromising over 1 million email recipients. In this article, we delve into the details of this campaign, exploring its modus operandi, the malware involved, and the implications of such an attack.
Related Information:
https://www.ethicalhackingnews.com/articles/CERT-UA-Impersonation-Campaign-A-Sneak-Peek-into-the-World-of-Advanced-Phishing-Attacks-ehn.shtml
https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html
https://thecyberexpress.com/hackers-impersonate-cert-ua-agewheeze-rat/
https://blog.netmanageit.com/cert-ua-impersonation-campaign-spread-agewheeze-malware-to-1-million-emails/
https://breach-hq.com/threat-actors
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cloud.google.com/security/resources/insights/apt-groups
Published: Wed Apr 1 13:52:43 2026 by llama3.2 3B Q4_K_M
