A large-scale phishing campaign has been uncovered in which attackers impersonated Ukraine’s cybersecurity agency, CERT-UA, to distribute malware known as AGEWHEEZE. The operation, attributed to a threat group tracked as UAC-0255, involved sending malicious emails on March 26–27, 2026, targeting a wide range of sectors including government bodies, financial institutions, educational organizations, and software companies.
The attackers used deceptive emails posing as official communication from CERT-UA, urging recipients to download a password-protected ZIP file hosted online. The file, disguised as “specialized software,” delivered a remote access trojan once executed, giving attackers extensive control over infected systems.
AGEWHEEZE, developed in the Go programming language, is capable of executing commands, managing files, capturing screenshots, modifying clipboard data, and even simulating mouse and keyboard activity. It communicates with external servers using WebSockets and can establish persistence by modifying system settings such as the Windows Registry or startup processes.
To increase credibility, the attackers used spoofed email addresses and even created a fake website mimicking CERT-UA. Analysis revealed that parts of the fraudulent site may have been generated using artificial intelligence tools, highlighting the growing role of AI in crafting sophisticated phishing infrastructure.
Despite the campaign’s scale—reportedly targeting up to one million email accounts—the actual impact appears limited. CERT-UA stated that only a small number of personal devices were successfully infected, primarily belonging to employees in educational institutions.
The threat actors behind the campaign also claimed responsibility via a Telegram channel, stating that over 200,000 systems had been compromised, although these figures have not been independently verified.
This incident underscores the increasing sophistication of phishing attacks, where adversaries exploit trusted institutions and leverage AI-assisted tools to enhance deception. It also highlights the importance of user awareness and cautious handling of unsolicited emails, especially those prompting software downloads or urgent actions.
