CERT-UA Impersonation - Malware Campaign Targets 1 Million Emails
Basically, hackers pretended to be a cybersecurity agency to send malware in emails.
A new phishing campaign impersonating CERT-UA has spread AGEWHEEZE malware to over 1 million emails. This attack targeted various sectors, raising serious security alarms. Stay vigilant against such threats to protect your data.
What Happened
The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a phishing campaign that impersonated the agency itself. This attack, attributed to a group known as UAC-0255, occurred on March 26 and 27, 2026. The attackers sent out emails containing a password-protected ZIP file, claiming to offer a security tool. This ZIP file, named CERT_UA_protection_tool.zip, was hosted on Files.fm and was designed to download a remote administration tool called AGEWHEEZE.
The emails were sent to a staggering 1 million users, primarily targeting state organizations, medical centers, educational institutions, and financial companies. The malicious emails were dispatched from a suspicious address, incidents@cert-ua[.]tech, which closely mimicked the legitimate CERT-UA domain. Despite the scale of the campaign, CERT-UA reported that the attack was largely unsuccessful, with only a few personal devices infected.
Who's Being Targeted
The phishing campaign's targets included a broad spectrum of sectors, showcasing the attackers' intent to compromise critical infrastructure. State organizations were particularly at risk, alongside medical centers and educational institutions. The attackers aimed to exploit vulnerabilities in these sectors, potentially gaining access to sensitive information and systems.
UAC-0255's choice of targets reflects a strategic approach to maximize impact. By impersonating a trusted cybersecurity agency, they sought to lower the recipients' defenses, increasing the likelihood of infection. The campaign's scale, reaching over 1 million email addresses, highlights the ongoing threat posed by sophisticated phishing tactics.
Signs of Infection
AGEWHEEZE, the malware used in this campaign, is a remote access trojan (RAT) that allows attackers to control infected devices remotely. Once installed, it can execute commands, manage files, take screenshots, and even manipulate the clipboard. The malware establishes a connection with an external server over WebSockets, enabling real-time communication with the attackers.
Indicators of compromise include unexpected behavior on devices, such as unauthorized access to files or unusual network activity. Users should be vigilant for any signs of infection, especially if they have interacted with suspicious emails or downloaded unknown files.
How to Protect Yourself
To safeguard against such phishing attacks, users should adopt several best practices. First, always verify the sender's email address, especially when receiving unexpected attachments. Avoid downloading files from unknown sources, even if they appear to be from trusted entities.
Additionally, maintaining updated antivirus software can help detect and block malware before it can cause harm. Regularly educating employees and users about phishing tactics can further bolster defenses against such campaigns. By fostering a culture of cybersecurity awareness, organizations can significantly reduce their risk of falling victim to similar attacks in the future.