### Impersonation and Distribution Threat actors, identified as **UAC-0255**, launched a phishing campaign on March 26 and 27, 2026, by sending emails that mimicked official **CERT-UA** communications. These emails contained a password-protected ZIP archive, hosted on Files.fm, which urged recipients to install what was purported to be specialized security software. The targets spanned a wide range of sectors, including state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. Some emails were sent from the address "incidents@cert-ua[.]tech." ### AGEWHEEZE RAT Details The ZIP file ("CERT_UA_protection_tool.zip") was designed to deploy malware disguised as a security tool from **CERT-UA**. The malware, identified as the **AGEWHEEZE** RAT, is a Go-based trojan that communicates with an external server ("54.36.237[.]92") via WebSockets. **AGEWHEEZE** supports a comprehensive set of commands, enabling attackers to execute commands, manipulate files, modify the clipboard, emulate mouse and keyboard actions, capture screenshots, and manage processes and services. The malware also establishes persistence through scheduled tasks, modifications to the Windows Registry, or by adding itself to the Startup directory.  ### Limited Success and Attribution **CERT-UA** assesses that the campaign had limited success, with only a few infected personal devices belonging to employees of educational institutions identified. The agency provided necessary assistance to affected individuals. Analysis of the fraudulent website "cert-ua[.]tech" suggests the use of AI tools in its creation. The HTML source code contained a comment indicating attribution to "CYBER SERP." ### Cyber Serp Claims **Cyber Serp**, identifying themselves as "cyber-underground operatives from Ukraine," claimed responsibility for the campaign on their Telegram channel. They alleged that the phishing emails were sent to 1 million ukr[.]net mailboxes, resulting in over 200,000 compromised devices. **Cyber Serp** also claimed responsibility for an alleged breach of Ukrainian cybersecurity company **Cipher** last month. **Cipher** acknowledged the compromise of an employee's credentials, but stated that its infrastructure remained secure and that the infected user only had access to a single project without sensitive data.