UAC-0255 Impersonates CERT-UA to Distribute AGEWHEEZE Malware

A high-volume Phishing campaign has been observed impersonating the Computer Emergency Response Team of Ukraine (CERT-UA) to distribute a remote administration tool (RAT) identified as AGEWHEEZE. According to The Hacker News, the threat actor tracked as UAC-0255 launched the operation on March 26 and 27, 2026, sending approximately one million emails to various recipients. This massive scale suggests a broad attempt at initial access rather than a highly targeted APT operation, though the use of national security branding increases the likelihood of user engagement.

Technical Breakdown of AGEWHEEZE Delivery

The primary TTP involved in this campaign is the use of social engineering to bypass traditional security filters. Attackers sent emails that appeared to originate from CERT-UA, a tactic designed to exploit the trust users place in official cybersecurity communications. These emails contained a password-protected ZIP archive, a common method used to evade automated EDR and sandbox analysis. Because the content of the archive is encrypted, many email gateways are unable to inspect the internal files for IoC markers or malicious signatures.

Inside the archive, the payload consists of the AGEWHEEZE malware. Once executed, this RAT allows the attacker to establish a C2 channel, providing unauthorized access to the victim’s environment. While the full extent of AGEWHEEZE’s capabilities continues to be analyzed by the SOC community, its deployment typically serves as a precursor to Lateral Movement or data exfiltration.

How to Detect AGEWHEEZE Malware and Malicious ZIP Files

Identifying these attacks requires a multi-layered approach. Security teams should monitor for unusual email patterns originating from domains that spoof or closely mimic official government infrastructure. Analyzing metadata and headers can reveal discrepancies in the sender’s identity. Furthermore, SIEM alerts should be configured to flag the execution of scripts or binaries extracted from temporary directories immediately following the decompression of an archive.

UAC-0255 Phishing Campaign Mitigation and Analysis

UAC-0255 has demonstrated a significant capacity for volume, which places a heavy burden on incident response teams. The impersonation of a CVE reporting body like CERT-UA is particularly effective because it preys on the urgency felt by administrators who may be rushing to apply patches or updates. To counter this, organizations must verify all communications through secondary, out-of-band channels.

Standardizing on a Zero Trust architecture can limit the impact of such campaigns. By strictly controlling which applications are allowed to run and restricting Privilege Escalation paths, defenders can prevent AGEWHEEZE from gaining the persistence needed to facilitate a larger Ransomware event or Supply Chain Attack.

Defensive Recommendations for SOC Teams

To effectively combat the UAC-0255 threat, defenders should prioritize the following actions:

• Implement email filtering rules that quarantine password-protected ZIP files for manual review or secondary scanning.
• Update endpoint protection signatures to recognize the AGEWHEEZE binary and its associated loader scripts.
• Conduct targeted security awareness training focusing on the dangers of impersonated government communications.
• Map campaign behaviors against the MITRE ATT&CK framework to identify gaps in existing detection coverage.

As the campaign continues, practitioners should keep a close watch on emerging network telemetry related to UAC-0255 infrastructure to update their blocklists and firewall rules.