- The Computer Emergency Response Team of Ukraine (CERT-UA) was impersonated in a phishing campaign distributing a Go-based remote access trojan.
- Threat actors tracked as UAC-0255 targeted state, medical, security, educational, financial, and software companies via email.
- The malware, AGEWHEEZE, communicates via WebSockets and can execute commands, take screenshots, and steal clipboard data.
- The fake website used in the campaign was likely generated with AI and linked to a Telegram group called ‘Cyber Serp’.
- The campaign was largely unsuccessful, with only a few infected personal devices identified at educational institutions.
On March 26 and 27, 2026, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed that it was impersonated in a phishing campaign distributing a remote administration tool. The threat actors, tracked as UAC-0255, sent emails posing as the agency to state organizations, medical centers, and financial institutions.
The emails urged recipients to install a password-protected ZIP archive hosted on Files.fm. Consequently, the file downloaded malware packaged as security software from CERT-UA.
The malware is a Go-based remote access trojan codenamed AGEWHEEZE. It communicates with an external server over WebSockets and supports commands to execute file operations and take screenshots.
However, the attack was assessed to have been largely unsuccessful. “No more than a few infected personal devices belonging to employees of educational institutions of various forms of ownership were identified,” the agency said.
An analysis revealed the bogus website was likely generated with artificial intelligence tools. Meanwhile, the HTML source code included a comment: “С Любовью, КИБЕР СЕРП,” meaning “With Love, CYBER SERP.”
In posts on Telegram, where the group has over 700 subscribers, Cyber Serp claims to be “cyber-underground operatives from Ukraine.” The threat actor said the phishing emails were sent to 1 million mailboxes and that over 200,000 devices were compromised.
Last month, Cyber Serp took responsibility for an alleged breach of Ukrainian cybersecurity company Cipher. In a statement, Cipher acknowledged an employee’s credentials were compromised but said its infrastructure was operating normally.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
