The Computer Emergency Response Team of Ukraine recently identified a phishing operation where attackers impersonated the agency to trick organizations into installing a malicious remote administration tool. Using deceptive emails that appeared to be official security alerts, the threat actors distributed a password-protected archive containing a sophisticated trojan known as AGEWHEEZE.
In late March 2026, a hacking group identified as UAC-0255 launched a series of fraudulent emails targeting a diverse range of sectors, including government offices, healthcare facilities, and financial institutions. These messages were crafted to look like legitimate communications from the cybersecurity agency and frequently utilized a deceptive email address to enhance their credibility. Recipients were encouraged to download and install what was described as specialized protection software hosted on a public file-sharing platform.
The core of this attack relied on a ZIP archive titled as a protection tool, which actually contained the malware payload. Once a user attempted to install the supposed security update, the system would instead be infected with a remote access trojan. This particular campaign cast a wide net, reaching out to educational centers, security firms, and software developers in an attempt to gain unauthorized access to various critical networks.
The AGEWHEEZE malware is built using the Go programming language and establishes a persistent connection to an external command-and-control server. By utilizing WebSockets for communication, the software can receive and execute a broad spectrum of instructions from the attackers. This capability allows the threat actors to monitor infected systems in real-time and maintain control over the compromised environment without immediate detection.
Functionally, the trojan provides the attackers with comprehensive control over the victim’s computer, including the ability to manage files, capture screenshots, and manipulate the system clipboard. It can even emulate physical hardware interactions like mouse movements and keyboard entries, making it a highly versatile tool for espionage or further data theft. The malware is also programmed to manage active processes and services, ensuring that the attackers can suppress security software if necessary.
To ensure long-term access, the malware employs several techniques to remain on the system after it is restarted. It achieves this persistence by creating scheduled tasks, modifying the Windows Registry, or placing its executable within the system’s startup directory. These methods allow the trojan to automatically re-engage its connection to the attackers, posing a continuous threat to the integrity of the targeted organizations.
Source: https://cert.gov.ua/article/6288047