Ukraine’s national cyber incident response team CERT-UA has warned of a wave of malicious emails impersonating the agency and urging recipients to download a “protected” archive and install so-called security software.
The emails, distributed to a wide range of organizations, including government bodies, medical centers, security firms, educational institutions, financial companies, and software developers, contained links to password-protected files hosted on the Files.fm service. The archives, labeled “CERT_UA_protection_tool.zip” and “protection_tool.zip,” were in fact designed to deliver malware.
CERT-UA has also identified a fake website (cert-ua[.]tech), which copied content from the official CERT-UA site and provided instructions for installing the fake “protection tool.” The executable inside the archive was a remote access trojan (RAT) known as Ageweeze. The RAT is capable of full system control, including file management, screen capture, and input emulation.
The malware’s command-and-control server was hosted on infrastructure belonging to French provider OVH. Analysis of the server revealed an AI generated web interface titled “The Cult,” containing Russian-language messages and a self-signed SSL certificate linked to “TVisor.” A group calling itself “Cyber Serp” has claimed responsibility for the attack on their Telegram channel.
CERT-UA is tracking the activity as UAC-0255. According to officials, the attack had limited impact, with only a small number of personal devices belonging to employees in educational institutions affected.