The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a phishing campaign in which the agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. The disclosure underscores a growing trend of threat actors exploiting the credibility of trusted cybersecurity institutions to carry out malicious operations.
UAC-0255 Sent Malicious Emails Disguised as CERT-UA
The campaign was tracked as executed by threat actor UAC-0255, which sent malicious emails impersonating CERT-UA on March 26 and 27, 2026. The emails contained a password-protected ZIP archive designed to lure recipients into executing a remote administration tool known as AGEWHEEZE. By disguising the malicious payload within a password-protected archive, the attackers introduced an additional layer of obfuscation intended to bypass conventional security scanning tools.
AGEWHEEZE is a remote administration tool that, once deployed on a target system, provides unauthorized control to the attacker. This type of tool is particularly dangerous because it can facilitate persistent access, data exfiltration, and further lateral movement within a compromised network. The use of AGEWHEEZE as the primary payload indicates that the campaign was oriented toward establishing long-term footholds rather than executing a single, isolated intrusion.
How UAC-0255 Structured the Phishing Scheme
The attackers relied on several deliberate techniques to increase the likelihood of a successful compromise:
- Impersonation: By imitating CERT-UA, a widely recognized and trusted cybersecurity authority in Ukraine, the threat actors exploited institutional trust to encourage recipients to engage with the email content without suspicion.
- Password-Protected ZIP Archives: The use of encrypted or password-protected archives is a well-documented technique in phishing campaigns, as it limits the ability of automated security tools to inspect or flag the contents before they are opened by the target.
- AGEWHEEZE Payload Delivery: The ultimate objective of the campaign was the deployment of AGEWHEEZE, granting the threat actor remote administrative access to affected systems and the ability to execute commands, monitor activity, or extract sensitive data.
Recommended Defenses Against Similar Phishing Campaigns
Organizations and individuals can take several practical steps to reduce exposure to campaigns of this nature:
- Email Filtering: Deploy layered email filtering solutions capable of identifying spoofed sender addresses and flagging emails that mimic known institutions, including government cybersecurity agencies.
- Security Awareness Training: Conduct regular training sessions to help employees identify phishing attempts, particularly those involving unexpected file attachments or password-protected archives from seemingly authoritative sources.
- Source Verification: Before interacting with any email attachment, especially a password-protected file, recipients should independently verify the legitimacy of the sender through official channels.
- Endpoint Protection Updates: Keep endpoint detection and response tools, antivirus software, and operating systems fully updated to detect and block known remote administration tools such as AGEWHEEZE.
Phishing Campaigns Continue to Target Trusted Institutions
This campaign is a clear example of how threat actors deliberately target the reputations of trusted organizations to increase the success rate of payload delivery. When recipients believe a communication comes from an authority like CERT-UA, they are statistically more likely to interact with attached files without applying the same level of scrutiny they might reserve for unknown senders. The UAC-0255 campaign reinforces why even communications appearing to originate from cybersecurity agencies should be carefully verified, and why organizations must maintain strong internal protocols for handling unsolicited emails with attachments.
