CERT-UA Clone Site Spreads Go-Based RAT
Key Takeaways A sophisticated phishing campaign, identified as UAC-0255, leveraged a meticulously crafted fake version of Ukraine’s CERT-UA website. The attackers distributed a Go-based Remote...
Key Takeaways
- A sophisticated phishing campaign, identified as UAC-0255, leveraged a meticulously crafted fake version of Ukraine’s CERT-UA website.
- The attackers distributed a Go-based Remote Access Trojan (RAT) named AGEWHEEZE, disguised as a “protection tool.”
- The campaign primarily targeted Ukrainian government, medical, educational, and financial sectors, though its spread was limited.
- The AGEWHEEZE RAT establishes persistence and offers extensive remote control capabilities, including screenshot capture, file management, and command execution.
Cyber Threat Actors Impersonate Ukraine’s CERT-UA, Deploy Go-Based RAT
Cybersecurity analysts have uncovered a targeted campaign, now designated UAC-0255, that utilized a highly convincing replica of Ukraine’s official Computer Emergency Response Team (CERT-UA) website. The elaborate scheme aimed to trick various Ukrainian organizations into downloading a potent remote access Trojan (RAT).
Table Of Content
Phishing Campaign and Malware Distribution
The attack unfolded on March 26 and 27, 2026, with numerous entities receiving fraudulent emails purportedly from CERT-UA. These messages instructed recipients to download a password-protected archive, either “CERT_UA_protection_tool.zip” or “protection_tool.zip,” from the file-sharing service Files.fm. The emails falsely claimed the archive contained an essential security tool requiring immediate installation.
The targeted sectors were broad, encompassing government agencies, medical facilities, security firms, educational institutions, financial organizations, and software development companies. Upon investigation, CERT-UA analysts confirmed that the purported protection tool was, in fact, the malicious AGEWHEEZE RAT, a full-featured remote access Trojan developed in the Go programming language.
The command-and-control (C2) server for AGEWHEEZE was traced to an IP address hosted by the French internet company OVH. CERT-UA formally documented this incident under the reference CERT-UA#21075.
Deceptive Infrastructure and Attribution
To enhance the credibility of their phishing emails, the attackers registered the domain cert-ua[.]tech and constructed a mirror site of the legitimate CERT-UA portal (cert.gov.ua). This fake website included download links and installation instructions for the malware.
The SSL certificate for the fraudulent site was generated on March 27, 2026, just hours before the phishing emails began circulating. The site was subsequently taken offline shortly after the campaign’s discovery. Investigators examining the HTML source code of the fake site discovered a message stating “With Love, CYBER SERP” and a link to a Telegram channel.
On March 28, 2026, the group posted in the linked Telegram channel, openly claiming responsibility for the operation. This public acknowledgment solidified attribution and led to the creation of the UAC-0255 tracking identifier for the threat actor.
Despite the sophistication of the attack, CERT-UA reported that the campaign did not achieve widespread success. Only a limited number of personal devices belonging to staff at educational institutions were found to be compromised. The national response team acted swiftly to provide both technical assistance and practical guidance to affected organizations.
AGEWHEEZE: Installation and Capabilities
Once executed, AGEWHEEZE establishes itself within the AppData folder, typically using paths such as %APPDATA%SysSvcSysSvc.exe or %APPDATA%serviceservice.exe. For persistence across system reboots, the malware creates registry entries under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and registers scheduled tasks named “SvcHelper” and “CoreService.” These methods ensure the RAT maintains a stable foothold on the compromised system.
After achieving persistence, AGEWHEEZE initiates communication with its C2 server at 54[.]36.237.92 over port 8443, utilizing WebSockets for real-time, bidirectional interaction. The malware is equipped with a comprehensive suite of capabilities, allowing it to capture screenshots, simulate mouse and keyboard input, manage files and directories, enumerate and terminate active processes, control system services, read and write clipboard data, open URLs, execute terminal commands, and perform system power actions like shutdown, restart, or lock.
The C2 management panel, which the operators referred to as “The Cult,” was protected by an authentication form. Russian-language text discovered within the HTML source code of this panel further supports the attribution to the group behind the operation.
What You Should Do
- Implement and configure application control tools such as Software Restriction Policies (SRP) or AppLocker on all endpoints to prevent the execution of unauthorized executables.
- Reduce the overall attack surface at both the network perimeter and on individual devices through robust security configurations and patch management.
- Educate employees on the dangers of phishing. Emphasize extreme caution when receiving unexpected emails that urge software downloads, especially if they claim to originate from government bodies or trusted cybersecurity authorities.
- Verify the authenticity of any unexpected requests for software installation by contacting the purported sender through an independently confirmed channel, not by replying to the suspicious email.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.