Phishing Campaign Spoofs Ukrainian CERT to Deploy AGEWHEEZE RAT

Severity: Medium (Score: 58.0)

Sources: Scworld, Thecyberexpress

Summary

Between March 26 and 27, 2026, a phishing campaign targeted Ukrainian institutions, including government entities, healthcare providers, and educational institutions, by spoofing the Computer Emergency Response Team of Ukraine (CERT-UA). Attackers sent emails impersonating CERT-UA staff, urging recipients to download a password-protected ZIP file containing the AGEWHEEZE Remote Access Trojan (RAT). The phishing emails were accompanied by a counterfeit website, cert-ua[.]tech, which mimicked the official CERT-UA site. AGEWHEEZE provides attackers with extensive control over infected machines, including real-time input emulation and file system operations. CERT-UA reported that the campaign was largely unsuccessful, impacting only a limited number of personal devices. The malicious software was distributed via links to a file-sharing service and was designed to establish persistence on infected systems. The attack highlights ongoing cybersecurity threats faced by Ukraine amid its geopolitical situation. Key Points: • Phishing emails impersonated CERT-UA to distribute AGEWHEEZE RAT. • The counterfeit website cert-ua[.]tech was created to support the attack. • The campaign primarily targeted government and healthcare sectors in Ukraine.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• files.fm (domain)
• Education (company)
• Financial (industry)
• Government (industry)
• Healthcare (industry)
• Agewheeze (malware)
• Agewheeze RAT (malware)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1547.001 - Registry Run Keys / Startup Folder (mitre_attack)
• T1547 - Boot Or Logon Autostart Execution (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• Windows (platform)