Main points
- Hackers spoofed the government website CERT-UA and spread the virus through phishing emails, which mainly affected the personal devices of educators.
- The AGEWHEEZE virus gave hackers almost unlimited control over infected PCs. The UAC-0255 group is behind the attack.
Hackers cloned CERT-UA website to distribute spyware / Freepik
At the end of March 2026, a sophisticated cyberattack was detected in the Ukrainian segment of the Internet, where attackers posed as the state computer emergency response team. Using trust in official institutions, hackers tried to infect the systems of important organizations.
What methods did the attackers use?
During March 26-27, 2026, experts recorded a massive spread of phishing emails that imitated official messages from CERT-UA. The main targets of the attackers were government institutions, financial institutions, educational institutions, medical centers and private IT companies. The messages contained a call to download a specialized tool to improve cybersecurity, but in fact, the links hid a dangerous program for remote espionage, writes Cyber Press.
To increase the trust of potential victims, the hackers created an exact copy of the official CERT-UA portal on another .tech domain, which completely duplicated the design and content of the real cert.gov.ua site, which significantly increased the chances of a successful attack. The attackers even made sure to have a valid SSL certificate from GlobalSign so that the site would appear secure in users' browsers. This resource contained instructions on how to use the malicious software, which was presented as an official means of protection.
New virus
The malicious payload was distributed via the popular file-sharing service Files.fm in the form of password-protected archives named “CERT_UA_protection_tool.zip” or “protection_tool.zip”. Inside was the AGEWHEEZE remote access trojan, developed in the Go programming language.
This tool provides almost unlimited control over the infected machine. In particular, the virus is able to broadcast the screen in real time, intercept data from the clipboard, manipulate the file system, execute arbitrary commands, and even simulate mouse movements or keyboard keystrokes.
The virus developers paid special attention to embedding itself in the system. After launch, AGEWHEEZE copies itself to the working directories of the operating system and creates scheduled tasks under the names “SvcHelper” and “CoreService” to automatically start after a computer reboot and have elevated privileges in the system. Communication with the command server occurs via the WebSockets protocol.
Researchers discovered that the network of infected devices was controlled through a panel called “The Cult” hosted on the infrastructure of the provider OVH. On the authentication page of this panel, they found inscriptions in Russian, informing about the suspension of membership in the community.
Who is behind the attack?
CERT-UA attributes responsibility for this campaign to the UAC-0255 group, writes GBHackers. This connection became apparent after a public confirmation of involvement in the attack appeared on March 28, 2026 in the Telegram channel “Cyber Serp” (also known as “Cyber Sickle”). In addition, during the analysis of the fake website's code, experts found hidden text messages on behalf of this group.
How many victims?
Despite the scale of the attempt, the actual impact of the attack was limited. According to experts, only a small number of successful infections were recorded, mostly affecting the personal devices of education workers.
The state response team promptly provided assistance to the victims to localize the incidents.