Hackers Clone CERT-UA Site to Deploy Go-Based Trick Victims

A threat group recently deployed a highly convincing fake version of Ukraine’s official cybersecurity authority website. The deceptive site’s purpose is to trick unsuspecting targets into downloading a dangerous remote access tool.

The campaign, now tracked under the identifier UAC-0255, relied on a mix of phishing emails and a cloned government website to push malware onto the computers of government workers, medical staff, and professionals across multiple industries in Ukraine.

The attack unfolded on March 26 and 27, 2026, when a wide range of organizations began receiving emails that appeared to come directly from CERT-UA — Ukraine’s national computer emergency response team.

The messages told recipients to download a password-protected archive named “CERT_UA_protection_tool.zip” or “protection_tool.zip” from the file-sharing service Files.fm, with the claim that it held a specialized security tool requiring immediate installation. 

The targeted sectors included government agencies, medical centers, security firms, educational institutions, financial organizations, and software development companies.

CERT-UA analysts identified the scheme and confirmed that the file presented as a protection tool was, in reality, a dangerous piece of malware.

The executable hidden inside the archive turned out to be AGEWHEEZE — a full-featured remote access trojan built with the Go programming language.

The team traced its command-and-control (C2) server to an IP address hosted by the French internet company OVH and formally documented the incident under case reference CERT-UA#21075.

To make the phishing emails look legitimate, the attackers also registered the domain cert-ua[.]tech and built a fake website that mirrored the official CERT-UA site at cert.gov.ua, with download links and installation instructions. 

The fraudulent site’s SSL certificate was created on March 27, 2026, just hours before the emails started circulating, and the page was taken down shortly after.

Buried inside the site’s HTML source code, investigators found a message reading “With Love, CYBER SERP,” along with a link to a Telegram channel.

On March 28, 2026, the group published a post in that same channel claiming full responsibility, which removed all uncertainty around attribution and led to the creation of the UAC-0255 tracking identifier.

CERT-UA confirmed that the overall attack failed to spread widely. Only a small number of personal devices belonging to staff at educational institutions were found to be infected.

The response team acted quickly to provide both technical assistance and practical guidance to the affected organizations.

How AGEWHEEZE Installs Itself and Stays Hidden

Once a victim runs the installer, AGEWHEEZE places itself inside the AppData folder using paths such as %APPDATA%SysSvcSysSvc.exe or %APPDATA%serviceservice.exe.

The malware then writes registry entries under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and registers scheduled tasks named “SvcHelper” and “CoreService” to make sure it keeps running even after the machine is restarted.

These persistence methods give the attacker a stable foothold on the infected system.

Once persistence is in place, AGEWHEEZE connects to its C2 server at 54[.]36.237.92 over port 8443 using WebSockets for live, two-way communication.

The malware packs a broad set of capabilities — it can capture screenshots, simulate mouse clicks and keyboard input, manage files and directories, list and kill active processes, control system services, read and write clipboard data, open URLs, run terminal commands, and even perform power actions like shutdown, restart, or lock.

The C2 management panel, which the operators named “The Cult,” sat behind an authentication form, and Russian-language text found in its HTML source code pointed further toward the identity of the group running the operation.

Organizations are strongly advised to configure application control tools like SRP or AppLocker on all endpoints to stop unauthorized executables from running.

Reducing the overall attack surface at both the network perimeter and on individual devices is equally important.

Employees should treat any unexpected email urging software downloads with caution, especially when the message claims to be from a government body or a trusted cybersecurity authority.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.