Hackers impersonate Ukraine's cyber defense agency to deploy remote access trojan

Attackers built a convincing fake version of CERT-UA's official website, registered an imitation domain one day into the campaign, and used an AI-generated phishing site to distribute malware packaged as protective security software.

What happened

Ukraine's Computer Emergency Response Team, known as CERT-UA, has disclosed that between March 26 and 27, 2026, an unknown threat actor conducted a phishing campaign impersonating the agency to distribute malware to organizations across Ukraine. According to The Hacker News, the threat actors, tracked by CERT-UA as UAC-0255, sent emails posing as the agency and urging recipients to download a password-protected archive named "CERT_UA_protection_tool.zip" from the Files.fm file-sharing service. The emails described the contents as specialized protective software. The campaign targeted a broad range of Ukrainian institutions, including government organizations, medical centers, security companies, educational institutions, financial institutions, and software development firms. The group behind the attack, identifying itself as Cyber Serp, later claimed on Telegram that the phishing emails had been sent to one million ukr.net mailboxes.

Going deeper

The archive contained not protective software but AGEWHEEZE, a full-featured remote access trojan (RAT), which is a type of malware that gives an attacker complete remote control over an infected machine, including live screen viewing, keyboard and mouse emulation, command execution, file system access, and the ability to shut down, restart, or lock the device. AGEWHEEZE is written in the Go programming language and establishes persistence through Windows registry startup entries, the Startup directory, or a scheduled task, using names designed to resemble legitimate system processes. All communications route over WebSocket connections to a command-and-control server hosted on infrastructure belonging to French cloud provider OVH. Supporting the phishing campaign, the attackers registered a counterfeit website at cert-ua[.]tech, a domain created on March 27, just one day into the distribution window, with content copied directly from the official CERT-UA website at cert[.]gov[.]ua alongside fabricated download instructions. Attribution was embedded in the AI-generated fake site's own HTML code, which contained a line reading: "With Love, CYBER SERP" alongside a Telegram channel link.

What was said

CERT-UA assessed the cyberattack as "unsuccessful," stating that no more than a few personal devices belonging to employees of educational institutions were identified as infected. The agency noted that the development of artificial intelligence greatly simplifies the execution of cyber threats, pointing to the attackers' use of an AI-generated phishing site as a direct illustration of that warning. CERT-UA recommended that organizations reduce their attack surface by configuring Software Restriction Policies and AppLocker and deploying specialized endpoint protection tools. The advisory was published on March 28, 2026.

In the know

Impersonating Ukrainian government agencies to distribute malware through phishing emails has been a persistent tactic across multiple threat groups operating in the conflict. According to The Hacker News, CERT-UA previously documented a campaign in which an unknown threat actor impersonated the Security Service of Ukraine to distribute a remote access tool called ANONVNC, infecting more than 100 computers, including those belonging to government bodies. In that campaign, attackers distributed a ZIP archive containing an MSI installer that deployed malware designed to provide stealthy unauthorized access to infected hosts. The pattern in both cases is consistent: attackers select the name of a Ukrainian institution that carries the highest authority in its domain to ensure that recipients are least likely to question instructions to download and install software.

The big picture

The CERT-UA impersonation campaign outlines a tactic that applies well beyond Ukraine's conflict environment: targeting the institutions that organizations trust most for security guidance, and weaponizing that trust to deliver malware. Healthcare organizations are among the most vulnerable to this type of attack because they operate under strict regulatory obligations and routinely receive communications from government agencies, compliance authorities, and regulatory bodies. According to Paubox's Top 3 Healthcare Email Attacks report, impersonation attacks succeed because "email still treats identity as trustworthy by default," and healthcare workflows amplify that risk because urgent requests and vendor or authority communications are routine. Microsoft's Digital Defense Report, cited in the same Paubox research, states that "attackers increasingly exploit trust in familiar identities, such as executives and vendors, rather than relying on malicious attachments or links." When the impersonated identity is a cybersecurity agency itself, employees are less likely to apply the same skepticism they might direct at a less authoritative sender.

FAQs

What is a remote access trojan and why is AGEWHEEZE particularly dangerous?

A remote access trojan is malware that gives an attacker full, hidden control over an infected device, including screen access, keyboard input, file operations, and command execution. AGEWHEEZE is purpose-built for persistent covert control, establishes itself through multiple persistence mechanisms to survive reboots, and routes all communications through obfuscated WebSocket channels, making detection more difficult.

How did the attackers make the fake CERT-UA website convincing?

The attackers registered a lookalike domain, cert-ua[.]tech, on the second day of the campaign, populated it with content copied directly from the official CERT-UA website, and added fabricated instructions for downloading the malicious archive. The site was generated using artificial intelligence, which CERT-UA noted greatly lowers the barrier to creating convincing impersonation infrastructure.

Why were medical centers specifically targeted in this campaign?

Healthcare and medical organizations hold sensitive records and often operate under government compliance frameworks that require them to act quickly on official guidance. Including medical centers in a campaign impersonating a national cybersecurity authority increases the likelihood that staff will treat the download instruction as mandatory rather than optional.

How did CERT-UA attribute the attack so quickly?

Attribution was embedded in the attackers' own work. A line of HTML code on the AI-generated fake website read "With Love, CYBER SERP" and included a link to the group's Telegram channel, where they subsequently posted a message claiming responsibility for the campaign on March 28, the day after it launched.

What steps can organizations take to verify communications that appear to come from government cybersecurity agencies?

Organizations should verify the sending domain against the agency's official domain before taking any action on an email. Legitimate cybersecurity agencies distribute guidance through official government domains and do not use file-sharing platforms to deliver security software. Establishing internal verification procedures for software installation requests, regardless of the apparent sender authority, reduces the risk of social engineering attacks that exploit institutional trust.