{
	"id": "1e8cf563-f89c-4168-9ee1-1b0b23119361",
	"created_at": "2026-04-10T03:21:46.381782Z",
	"updated_at": "2026-04-10T03:22:18.978986Z",
	"deleted_at": null,
	"sha1_hash": "577627c1e2b07c5c56ea56bcee0b1cce0d10a1a2",
	"title": "UAC-0255 Attack Detection: Threat Actors Impersonate CERT-UA to Infect Ukrainian Public and Private Sector Organizations With AGEWHEEZE RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65251,
	"plain_text": "UAC-0255 Attack Detection: Threat Actors Impersonate CERT-UA\r\nto Infect Ukrainian Public and Private Sector Organizations With\r\nAGEWHEEZE RAT\r\nBy Daryna Olyniychuk\r\nPublished: 2026-04-01 · Archived: 2026-04-10 02:01:45 UTC\r\nPhishing remains one of the most effective tools in the cybercriminal arsenal, especially when threat actors abuse\r\nthe credibility of trusted institutions and familiar digital services to increase victim interaction. In late March\r\n2026, CERT-UA revealed a phishing campaign tracked as UAC-0255 in which attackers impersonated the agency\r\nand attempted to infect organizations across Ukraine’s public and private sectors with the AGEWHEEZE RAT.\r\nDetect UAC-0255 Attacks Covered in CERT-UA#21075\r\nEuropol notes that phishing remains the main distribution vector for data-stealing malware, reflecting how email-and URL-driven social engineering remains central to malware delivery. The same pattern is visible across the\r\nphishing activity CERT-UA has been documenting against Ukraine throughout 2026. \r\nEarlier this year, CERT-UA reported a UAC-0190 campaign targeting the Ukrainian Armed Forces with the\r\nPLUGGYAPE backdoor, and later disclosed UAC-0252 activity in which emails impersonating central executive\r\nauthorities and regional administrations lured victims into running SHADOWSNIFF and SALATSTEALER\r\npayloads. The latest UAC-0255 attack covered in CERT-UA#21075 alert fits the same broader trend, with threat\r\nactors now abusing CERT-UA’s own identity to make the lure more convincing and expand targeting across both\r\npublic and private sector organizations. \r\nRegister for the SOC Prime Platform to proactively detect UAC-0255 and similar attacks at the earliest stages\r\npossible. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native\r\nCTI, mapped to the MITRE ATT\u0026CK® framework, and compatible with multiple SIEM, EDR, and Data Lake\r\ntechnologies.\r\nExplore Detections\r\nSecurity experts can also use the “CERT-UA#21075” tag based on the relevant CERT-UA alert identifier to search\r\nfor the detection stack directly and track any content changes. For more rules to detect adversary-related attacks,\r\ncyber defenders can search the Threat Detection Marketplace library using the “UAC-0255” tag.\r\nCybersecurity professionals can also rely on Uncoder AI to analyze threat intelligence in real time, generate\r\nAttack Flows, Sigma rules, simulations and validations, design detections in 56 languages, and create custom\r\nagentic workflows. Visit https://socprime.ai/ to learn more.\r\nAnalyzing UAC-0255 Attacks Impersonating CERT-UA to Deploy AGEWHEEZE\r\nhttps://socprime.com/blog/uac-0255-distributing-agewheeze-rat/\r\nPage 1 of 3\n\nOn March 26–27, 2026, CERT-UA identified a phishing campaign in which attackers impersonated the agency\r\nand urged recipients to download password-protected archives from the Files.fm service, including\r\n“CERT_UA_protection_tool.zip” and “protection_tool.zip.” The archives contained malicious content presented as\r\nspecialized software to be installed by targeted organizations. \r\nMalicious emails were distributed broadly across Ukraine and targeted government organizations, medical centers,\r\nsecurity firms, educational institutions, financial organizations, software development companies, and other\r\nentities, highlighting the campaign’s reach across both public and private sectors.\r\nCERT-UA#21075 alert also details the discovery of the fraudulent website cert-ua[.]tech, which reused materials\r\nfrom the official cert.gov.ua website and included instructions for downloading the fake protection tool. This\r\nhelped the attackers reinforce the legitimacy of the lure and increase the chances of user interaction by abusing\r\ntrust in Ukraine’s Computer Emergency Response Team.\r\nThe executable offered for installation was determined to be a multifunctional remote access malware strain\r\ntracked by CERT-UA as AGEWHEEZE. AGEWHEEZE is a Go-based RAT that supports a broad set of remote\r\nadministration capabilities. In addition to standard functions such as command execution and file management,\r\nthe malware can stream screen content, emulate mouse and keyboard input, interact with the clipboard, manage\r\nprocesses and services, and open URLs on the compromised host.\r\nThe malware’s command-and-control infrastructure was hosted on the network of French provider OVH\r\n(AS16276). On port 8443/tcp, researchers observed a web page titled “The Cult” containing an authentication\r\nform, while the HTML source included russian-language strings noting about blocked access to the service.\r\nCERT-UA also found that the associated self-signed SSL certificate had been created on March 18, 2026, and that\r\nthe Organization field contained the value “TVisor.”\r\nDuring a review of the AI-generated cert-ua[.]tech website, CERT-UA found embedded references to the\r\nCyberSerp Telegram channel, including the phrase “With Love, CYBER SERP.” On March 28, 2026, the same\r\nTelegram channel publicly claimed responsibility for the attack, helping remove uncertainty around the technical\r\nattribution. Based on these findings, CERT-UA assigned the activity the identifier UAC-0255.\r\nDespite the breadth of targeting, CERT-UA assessed the attack as unsuccessful. Investigators identified only\r\nseveral infected personal devices belonging to employees of educational institutions, and the response team\r\nprovided the necessary practical and methodological assistance. \r\nMITRE ATT\u0026CK Context\r\nLeveraging MITRE ATT\u0026CK offers in-depth insight into the latest UAC-0255 phishing campaign impersonating\r\nCERT-UA. The table below displays all relevant Sigma rules mapped to the associated ATT\u0026CK tactics,\r\ntechniques, and sub-techniques.\r\nTactics Techniques Sigma Rules\r\nhttps://socprime.com/blog/uac-0255-distributing-agewheeze-rat/\r\nPage 2 of 3\n\nInitial Access\r\nPhishing: Spearphishing\r\nAttachment (T1566)\r\nPossible Opening Password Protected RAR\r\nArchive (via registry_event)\r\nExecution\r\nScheduled Task/Job: Scheduled\r\nTask (T1053.005)\r\nSuspicious Scheduled Task (via audit)\r\nSuspicious Scheduled Task Files Access via Rare\r\nImage (via file_event)\r\nDefense\r\nEvasion\r\nObfuscated Files or Information\r\n(T1027)\r\nPossible Opening Password Protected RAR\r\nArchive (via registry_event)\r\nCommand and\r\nControl\r\nApplication Layer Protocol: Web\r\nProtocols (T1071.001)\r\nPossible Data Infiltration / Exfiltration / C2 via\r\nThird Party Services / Tools (via dns)\r\nPossible Data Infiltration / Exfiltration / C2 via\r\nThird Party Services / Tools (via proxy)\r\nIngress Tool Transfer (T1105)\r\nPossible Data Infiltration / Exfiltration / C2 via\r\nThird Party Services / Tools (via dns)\r\nPossible Data Infiltration / Exfiltration / C2 via\r\nThird Party Services / Tools (via proxy)\r\nSource: https://socprime.com/blog/uac-0255-distributing-agewheeze-rat/\r\nhttps://socprime.com/blog/uac-0255-distributing-agewheeze-rat/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/uac-0255-distributing-agewheeze-rat/"
	],
	"report_names": [
		"uac-0255-distributing-agewheeze-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775791306,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/577627c1e2b07c5c56ea56bcee0b1cce0d10a1a2.pdf",
		"text": "https://archive.orkl.eu/577627c1e2b07c5c56ea56bcee0b1cce0d10a1a2.txt",
		"img": "https://archive.orkl.eu/577627c1e2b07c5c56ea56bcee0b1cce0d10a1a2.jpg"
	}
}