CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails

Threat actors tracked as UAC-0255 conducted a large-scale phishing campaign impersonating Ukraine's Computer Emergency Response Team (CERT-UA). The attackers distributed approximately 1 million emails on March 26-27, 2026, delivering a password-protected ZIP archive containing the AGEWHEEZE remote administration tool. This sophisticated social engineering attack exploits trust in government cybersecurity agencies to increase victim engagement. AGEWHEEZE provides threat actors with persistent remote access to compromised systems, enabling data theft and lateral movement. Organizations should implement robust email filtering, verify sender authenticity through secondary channels, and train employees to recognize impersonation attempts. Security teams should monitor for suspicious ZIP archive downloads and unusual outbound connections indicative of RAT activity.

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive

Threat actors tracked as UAC-0255 conducted a large-scale phishing campaign impersonating Ukraine's Computer Emergency Response Team (CERT-UA). The attackers distributed approximately 1 million emails on March 26-27, 2026, delivering a password-protected ZIP archive containing the AGEWHEEZE remote administration tool. This sophisticated social engineering attack exploits trust in government cybersecurity agencies to increase victim engagement. AGEWHEEZE provides threat actors with persistent remote access to compromised systems, enabling data theft and lateral movement. Organizations should implement robust email filtering, verify sender authenticity through secondary channels, and train employees to recognize impersonation attempts. Security teams should monitor for suspicious ZIP archive downloads and unusual outbound connections indicative of RAT activity. The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive