Malware - Hackers Clone CERT-UA Site to Install RAT
Basically, hackers created a fake government website to trick people into downloading dangerous software.
Hackers have cloned Ukraine's CERT-UA site to distribute a dangerous RAT. Government and medical staff were targeted, raising serious security concerns. Quick action by CERT-UA helped contain the threat.
What Happened
A threat group recently executed a sophisticated attack by cloning Ukraine's official cybersecurity authority website, CERT-UA. This operation aimed to deceive targets into downloading a remote access tool (RAT) known as AGEWHEEZE. The campaign, tracked as UAC-0255, utilized a combination of phishing emails and a counterfeit website to distribute malware.
The attack unfolded on March 26 and 27, 2026, when various organizations received emails appearing to be from CERT-UA. These messages urged recipients to download a password-protected archive named "CERT_UA_protection_tool.zip" or "protection_tool.zip", claiming it contained a crucial security tool.
Who's Affected
The phishing campaign targeted a wide array of sectors, including:
- Government agencies
- Medical centers
- Security firms
- Educational institutions
- Financial organizations
- Software development companies
Despite the extensive reach, CERT-UA confirmed that the attack did not spread widely. Only a few personal devices belonging to staff at educational institutions were found to be infected.
What Data Was Exposed
The malicious executable hidden within the downloaded archive was AGEWHEEZE, a fully functional RAT developed using the Go programming language. Once installed, it could capture screenshots, simulate user inputs, manage files, and control system services, posing a severe risk to sensitive information.
How AGEWHEEZE Installs Itself and Stays Hidden
Upon execution, AGEWHEEZE installs itself in the AppData folder, using paths like %APPDATA%\SysSvc\SysSvc.exe. It establishes persistence through registry entries and scheduled tasks, ensuring it remains active even after system reboots. The malware connects to its command-and-control (C2) server using WebSockets for real-time communication.
Tactics & Techniques
The attackers registered a domain, cert-ua[.]tech, and created a fake website mimicking the official CERT-UA site. The fraudulent site was equipped with download links and installation instructions. Investigators discovered a hidden message in the site's HTML, indicating the group's identity, and they quickly took down the site after its brief operation.
Defensive Measures
Organizations are urged to implement application control tools like SRP or AppLocker to prevent unauthorized software from running. Additionally, reducing the attack surface at the network perimeter and on individual devices is crucial. Employees should be cautious of unexpected emails, especially those claiming to be from trusted authorities.
Conclusion
This incident underscores the need for heightened vigilance against phishing attacks and the importance of verifying the authenticity of software downloads, particularly from government or cybersecurity organizations.