{"id":230223,"date":"2026-04-01T12:10:00","date_gmt":"2026-04-01T16:10:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/01\/cert-ua-impersonation-campaign-spread-agewheeze-malware-to-1-million-emails\/"},"modified":"2026-04-01T23:25:13","modified_gmt":"2026-04-02T03:25:13","slug":"cert-ua-impersonation-campaign-spread-agewheeze-malware-to-1-million-emails","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/01\/cert-ua-impersonation-campaign-spread-agewheeze-malware-to-1-million-emails\/","title":{"rendered":"CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails"},"content":{"rendered":"

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/04\/cert-ua-impersonation-campaign-spread.html<\/a><\/p>\n

Publish Date: 2026-04-01 12:10:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Apr 01, 2026<\/span><\/span>Email Security \/ Artificial Intelligence<\/span><\/p>\n

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE.<\/p>\n

As part of the attacks, the threat actors, tracked as UAC-0255<\/strong>, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive hosted on Files.fm and urged recipients to install the “specialized software.”<\/p>\n

The targets of the campaign included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. Some of the emails were sent from the email address “incidents@cert-ua[.]tech.”<\/p>\n

The ZIP file (“CERT_UA_protection_tool.zip”) is designed to download malware packaged as security software from the agency. The malware, per CERT-UA, is a remote access trojan codenamed AGEWHEEZE.\u00a0<\/p>\n

A Go-based malware, AGEWHEEZE communicates with an external server (“54.36.237[.]92”) over WebSockets and supports a wide range of commands to execute commands, perform file operations, modify the clipboard, emulate mouse and keyboard, take screenshots, and manage processes and services. It also creates persistence by using a scheduled task, modifying the Windows Registry, or adding itself to the Startup directory.<\/p>\n

\"\"<\/p>\n

The attack is assessed to have been largely unsuccessful. “No more than a few infected personal devices belonging to employees of educational institutions of various forms of ownership were identified,” the agency said. “The team’s specialists provided the necessary methodological and practical assistance.”<\/p>\n

An analysis of the bogus website “cert-ua[.]tech” has revealed that it was likely generated with assistance from artificial intelligence (AI) tools, with the HTML source code also including a comment: “\u0421 \u041b\u044e\u0431\u043e\u0432\u044c\u044e, \u041a\u0418\u0411\u0415\u0420 \u0421\u0415\u0420\u041f,” meaning “With…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails https:\/\/thehackernews.com\/2026\/04\/cert-ua-impersonation-campaign-spread.html Publish Date: 2026-04-01 12:10:00…<\/p>\n","protected":false},"author":1,"featured_media":230224,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh4SwwNEiRJL3-C8lgR_Sj7XKNGuxhA-uAdcUZBQRRzmC16xbgg4bYkHTBz2VTfXOle8Su66hHz8vDXIOOQ2nFXlNo8wOIVWYGmVW-c9X4Luqx1-qFCiLmOMzUzwW8T5g0S73q4sr66bEAhjy9BrGmiz_pj52J3ug92X8hO5gMR6j9v_Fg8Iqu8lzqczge3\/s1600\/cert.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,24,32,25],"class_list":["post-230223","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-cybersecurity","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230223"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=230223"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230223\/revisions"}],"predecessor-version":[{"id":230225,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230223\/revisions\/230225"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/230224"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=230223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=230223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=230223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}