Hackers clone CERT-UA site to push Go-based RAT in phishing campaign
5 min. read 
Published on
Hackers recently cloned Ukraine’s CERT-UA website and used it in a phishing operation to trick targets into installing a remote access trojan called AGEWHEEZE. CERT-UA says the campaign, tracked as UAC-0255, targeted Ukrainian organizations with emails that pretended to come from the agency and pushed recipients to download a fake “protection tool.”
The activity took place on March 26 and March 27, 2026. According to CERT-UA and follow-up reporting based on the advisory, the phishing emails reached organizations in government, healthcare, education, finance, security, and software development. The messages urged people to download password-protected ZIP archives, including files named “CERT_UA_protection_tool.zip” and “protection_tool.zip,” from Files.fm.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Instead of a security utility, the archive delivered AGEWHEEZE, a Go-based remote access trojan that gives attackers broad control over infected systems. CERT-UA documented the incident as CERT-UA#21075 and assigned the campaign the identifier UAC-0255.
Fake government branding gave the lure credibility
A key part of the campaign involved the domain cert-ua[.]tech, which attackers used to mimic the real CERT-UA website at cert.gov.ua. Reporting based on the CERT-UA advisory says the fake site mirrored the official branding and included download prompts and installation guidance designed to make the malware look legitimate.
Some of the phishing emails also came from the address incidents@cert-ua[.]tech, which made the messages look even more believable. The Hacker News reported that the fake infrastructure appeared shortly before the phishing wave, matching the broader timeline described by CERT-UA.
This kind of lure works because it abuses trust in a known security authority. When an email claims to offer an urgent protective tool from a national cyber response team, some recipients will install it before they stop to verify the source. CERT-UA’s real advisory makes clear that the attackers leaned heavily on that trust signal.
What AGEWHEEZE can do on an infected system
AGEWHEEZE is not a simple downloader. CERT-UA-linked reporting says the malware can maintain persistence, communicate with its command server over WebSockets, and give operators remote access to the victim’s machine.
The malware reportedly stores itself in AppData locations such as %APPDATA%\SysSvc\SysSvc.exe or %APPDATA%\service\service.exe. It also creates Run registry entries and scheduled tasks, including names like “SvcHelper” and “CoreService,” so it can survive reboots.
Once active, the RAT can capture screenshots, manage files, list and kill processes, read clipboard data, open URLs, run commands, and trigger actions such as restart or shutdown. SOC Prime, citing CERT-UA#21075, said command-and-control traffic was observed over WebSockets to an OVH-hosted server on port 8443.
Impact appears limited, but the campaign still matters
CERT-UA said the campaign did not spread widely. Reporting on the advisory says investigators found infections only on a small number of personal devices belonging to staff at educational institutions, which suggests the operation achieved limited success despite the scale of the lure.
Even so, the operation stands out because it copied the identity of Ukraine’s official cyber emergency response team. A phishing campaign built around a fake security alert can work across sectors because the message feels urgent and authoritative at the same time.
The incident also shows how attackers continue to pair simple phishing tactics with realistic infrastructure. They did not need a highly complex initial lure. They only needed a convincing website, a believable sender identity, and a malware file disguised as a defensive tool.
Key facts at a glance
| Item | Details |
|---|---|
| Threat actor tracking | UAC-0255 |
| Malware | AGEWHEEZE RAT |
| Language | Go |
| Lure | Fake CERT-UA “protection tool” |
| Fake domain | cert-ua[.]tech |
| Real site imitated | cert.gov.ua |
| Delivery method | Phishing emails with password-protected ZIP archive |
| Target sectors | Government, healthcare, education, finance, security, software |
| CERT-UA incident ID | CERT-UA#21075 |
What defenders should do now
- Block and monitor lookalike domains that imitate trusted government or security organizations.
- Warn employees not to install “security tools” sent by email without independent verification.
- Restrict execution from user AppData paths where possible.
- Hunt for suspicious Run key persistence and scheduled tasks such as “SvcHelper” and “CoreService.”
- Review outbound traffic for unusual WebSocket connections and known malicious infrastructure.
- Verify urgent cyber alerts by visiting the official website directly instead of clicking email links.
FAQ
AGEWHEEZE is a Go-based remote access trojan that gives attackers control over an infected computer. Reporting tied to CERT-UA’s advisory says it can execute commands, manipulate files, capture screenshots, and maintain persistence after reboot.
The phishing emails targeted a broad mix of Ukrainian organizations, including government agencies, medical centers, educational institutions, financial entities, security companies, and software developers.
Yes. The attackers used cert-ua[.]tech to imitate the legitimate CERT-UA website and make the lure look official. That branding likely helped the phishing emails appear trustworthy.
CERT-UA said the spread was limited. Reports based on the advisory say only a small number of personal devices tied to educational staff were confirmed infected.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages