AGEWHEEZE RAT
Cybersecurity analysts have uncovered a targeted phishing operation in which threat actors impersonated the Computer Emergency Response Team of Ukraine to distribute a remote administration tool known as AGEWHEEZE. The campaign, attributed to the group UAC-0255, relied on deceptive emails sent on March 26 and 27, 2026, urging recipients to install what was described as 'specialized software.'
These emails contained links to a password-protected ZIP archive hosted on Files.fm. The archive, named CERT_UA_protection_tool.zip, was presented as a legitimate security utility but instead delivered malicious payloads. Some messages originated from the spoofed address 'incidents@cert-ua.tech,' further reinforcing the illusion of authenticity.
Table of Contents
Target Profile and Attack Reach
The operation cast a wide net, targeting a diverse range of organizations critical to national infrastructure and public services. These included:
- Government and state institutions
- Medical and healthcare facilities
- Security and defense-related companies
- Educational organizations
- Financial institutions
- Software development firms
Despite the broad targeting strategy, the overall effectiveness of the campaign appears limited. Only a small number of infections were confirmed, primarily affecting personal devices of employees within educational institutions.
Inside AGEWHEEZE: Capabilities and Persistence Mechanisms
AGEWHEEZE is a Go-based remote access trojan engineered for extensive system control and surveillance. Once deployed, it establishes communication with a command-and-control server at 54.36.237.92 using WebSocket protocols.
The malware enables attackers to perform a wide spectrum of malicious activities, including:
- Executing arbitrary commands and managing system processes
- Conducting file operations and manipulating stored data
- Capturing screenshots and monitoring user activity
- Emulating mouse and keyboard inputs
- Altering clipboard contents
- Maintaining persistence via scheduled tasks, Windows Registry modifications, or Startup directory placement
This combination of features makes AGEWHEEZE a versatile tool for espionage, lateral movement, and long-term system compromise.
Deceptive Infrastructure and AI-Assisted Fabrication
Investigation into the fraudulent domain' cert-ua.tech' revealed indicators of automated or AI-assisted development. The website's HTML source code contained a notable comment in Russian: 'С Любовью, КИБЕР СЕРП' ('With Love, CYBER SERP'), suggesting attribution to a group calling itself Cyber Serp.
Cyber Serp has claimed affiliation with Ukrainian cyber-underground circles via its Telegram channel, which was established in November 2025 and has accumulated over 700 subscribers. The group publicly asserted that the phishing campaign targeted up to one million email accounts and resulted in over 200,000 compromised devices, figures that significantly exceed independent assessments.
Conflicting Claims and Broader Threat Activity
Cyber Serp has attempted to position itself as a selective actor, claiming that ordinary citizens would not be impacted by its operations. However, such statements are inconsistent with the indiscriminate nature of large-scale phishing campaigns.
In a separate incident, the group claimed responsibility for breaching Cipher, alleging access to server data, client databases, and proprietary source code. Cipher later confirmed a limited compromise involving an employee's credentials but emphasized that:
- Core infrastructure remained secure and operational
- The affected account had access to only a single, non-sensitive project
This discrepancy highlights a common tactic among threat actors, exaggerating impact to amplify perceived influence and credibility.
Assessment and Security Implications
The campaign demonstrates the continued effectiveness of impersonation tactics, particularly when leveraging trusted national cybersecurity entities. While the immediate impact was contained, the technical sophistication of AGEWHEEZE and the scale of attempted distribution signal a persistent and evolving threat landscape.
Organizations are advised to reinforce email verification processes, scrutinize unsolicited attachments, and educate personnel on recognizing impersonation attempts involving authoritative institutions.
