Fake CERT-UA Site Spreads Go-Based RAT in Phishing Campaign

Hackers have launched a targeted phishing campaign by cloning Ukraine’s official CERT-UA website and distributing malicious software disguised as a security tool, according to a new alert from the national cyber response team.

Targets included government agencies, financial institutions, educational bodies, medical centers, and IT companies.

The emails urged recipients to download a password-protected archive labeled “CERT_UA_protection_tool.zip” or “protection_tool.zip” from the Files FM file-sharing service.

The messages claimed the archive contained a “specialized protection tool,” but in reality, it delivered a remote access trojan (RAT) known as AGEWHEEZE.

The activity was observed between March 26 and 27, 2026, when threat actors sent emails impersonating CERT-UA to a wide range of organizations.

Researchers also identified a fraudulent website, cert-ua[.]tech, designed to mimic the official CERT-UA portal. The site reused legitimate content from cert.gov.ua and provided instructions to download the same malicious tool, increasing the credibility of the attack.

Go-Based RAT Capabilities

The payload inside the archive installs AGEWHEEZE, a multifunctional RAT written in the Go programming language. Once executed, the malware provides attackers with extensive control over infected systems.

Its capabilities include:

• Executing commands and managing files.
• Capturing screenshots and monitoring user activity.
• Simulating mouse and keyboard input.
• Accessing clipboard data.
• Managing processes and system services.

The malware ensures persistence by installing itself in directories such as %APPDATA%SysSvcSysSvc.exe or %APPDATA%serviceservice.exe.

It also creates scheduled tasks like “SvcHelper” and “CoreService” to maintain elevated privileges.

Communication with its command-and-control (C2) server occurs via WebSockets, specifically through 54[.]36.237.92:8443, hosted on OVH infrastructure.

Investigators discovered a control panel labeled “The Cult” running on the same server, protected by an authentication page.

CERT-UA linked the campaign to a threat actor identified as UAC-0255. Attribution was strengthened after a Telegram channel named “Cyber Serp” publicly claimed responsibility for the attack on March 28, 2026.

Analysis of the fake website’s HTML code revealed embedded references to the group, including the message: “With Love, CYBER SERP.”

The domain cert-ua[.]tech was registered on March 27, 2026, and briefly used with a valid GlobalSign SSL certificate before going offline.

Additional infrastructure tied to the campaign includes domains such as creepy[.]ltd and hiddify.creepy[.]ltd, as well as malicious download links hosted on Files.fm.

Limited Impact but Growing Concern

CERT-UA reported that the campaign had limited success, with only a small number of infections detected. These primarily affected personal devices belonging to employees of educational institutions. The agency provided immediate assistance to contain the incidents.

Despite the low infection rate, the campaign highlights the increasing sophistication of phishing attacks, particularly those enhanced by artificial intelligence.

The use of cloned websites, realistic email lures, and AI-generated content makes detection more difficult for users.

CERT-UA urges organizations to strengthen their defenses by reducing their attack surface and enforcing stricter system policies. Recommended measures include:

• Configuring built-in protections such as Software Restriction Policies (SRP) and AppLocker.
• Verifying the authenticity of emails and download sources.
• Blocking suspicious domains and monitoring outbound connections.
• Using endpoint protection tools capable of detecting RAT behavior.

The agency also emphasized the importance of collaboration with telecom providers, which helped distribute threat intelligence and support national cyber defense efforts.

This campaign serves as a reminder that even trusted institutions can be impersonated, and vigilance remains critical in defending against evolving cyber threats.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.