Pro-Russian Hackers Target Ukraine via Phishing Campaign
Basically, hackers pretended to be Ukraine's cybersecurity team to trick people into downloading malware.
Pro-Russian hackers impersonated Ukraine's cyber agency in a phishing campaign targeting various sectors. This poses serious risks to government and businesses alike. Cybersecurity officials are investigating the incident.
The Threat
A pro-Russian hacker group, known as UAC-0255, has launched a phishing campaign targeting various sectors in Ukraine. This campaign involved impersonating Ukraine’s national cyber incident response team, CERT-UA. The attackers sent emails claiming to warn recipients about an impending cyberattack from Russia. These messages urged recipients to download a password-protected archive containing malicious software disguised as security tools.
The emails warned that ignoring the message could lead to "serious consequences," which is a common tactic used in phishing schemes to instill fear. By leveraging the credibility of a trusted agency, the hackers aimed to trick recipients into installing malware on their systems.
Who's Behind It
The group behind this operation is linked to CyberSerp, a relatively new threat actor that emerged in late 2025. They describe themselves as a "cyber-partisan movement" and claim Ukrainian origins. Their Telegram channel has been used to recruit collaborators and boast about their malicious activities. CyberSerp has previously claimed responsibility for other attacks, including a breach of the cybersecurity firm Cipher, highlighting their growing presence in the cyber threat landscape.
The attackers have also claimed to have sent malicious emails to about one million users of the Ukr.net email service, although CERT-UA has not confirmed these figures. The group's audacity is evident as they thanked CERT-UA for inadvertently promoting their Telegram channel through their investigation.
Tactics & Techniques
The phishing emails contained a remote administration tool called AgeWheeze, which allows attackers to gain control over infected computers. This tool can execute commands, manage files, and even stream screen content. Such capabilities make it a powerful weapon in the hands of cybercriminals.
CERT-UA reported that the campaign was largely unsuccessful, resulting in only a few infections, primarily on personal devices belonging to employees of educational institutions. However, the fact that the campaign targeted a wide range of organizations, including government institutions and financial companies, underscores the potential risk.
Defensive Measures
To protect against such phishing attempts, organizations should implement robust email filtering solutions and conduct regular cybersecurity training for employees. Awareness of the tactics used by threat actors is crucial. Users should be cautious about unsolicited emails, especially those that prompt downloads or ask for sensitive information.
Additionally, organizations should ensure that security patches are up-to-date and consider employing multi-factor authentication to add an extra layer of security. By staying vigilant and informed, organizations can better defend against these evolving threats.