Pro-Russian hackers pose as Ukraine’s cyber agency to target government, businesses

Steven

Pro-Russian hackers pose as Ukraine’s cyber agency to target government, businesses

Summary

A pro-Russian hacking group impersonated Ukraine’s national computer emergency response team (CERT-UA) in a phishing campaign that targeted government bodies, businesses and other institutions. The attackers, tracked as UAC-0255 and linked by observers to the group CyberSerp, sent emails warning of a supposed “large-scale cyberattack” and urged recipients to download a password-protected archive from Files.fm containing purported security software.

The archive actually delivered a remote administration tool called AgeWheeze, which gives operators broad control over infected machines — command execution, file and process management, screen streaming and simulated input among its capabilities. CERT-UA reported the campaign had limited success, infecting only a small number of mainly personal devices at educational institutions, while CyberSerp later claimed much larger reach on Telegram (claims CERT-UA did not confirm).

Key Points

  • Attackers impersonated CERT-UA in phishing emails to increase trust and urgency.
  • Malicious payload was distributed via a password-protected archive hosted on Files.fm and contained the AgeWheeze RAT.
  • AgeWheeze enables remote control functions: command execution, file/process management, screen streaming and input emulation.
  • Targets spanned government, healthcare, finance, security firms, universities and developers.
  • CERT-UA says infections were limited; CyberSerp later claimed far larger numbers but those figures remain unverified.
  • Evidence in the fake site code and CyberSerp’s Telegram posts point to the group’s involvement; CyberSerp is a relatively new actor that surfaced in November 2025.

Why should I read this?

Short version: clever impersonation + a RAT = trouble if your staff clicks. If you care about protecting government, healthcare or finance systems (and who doesn’t?), this shows attackers are still using social engineering to bypass tech defences. Read it to spot the tactics without wading through noise.

Context and Relevance

This incident matters because it combines trusted-brand impersonation (a national CSIRT) with off-the-shelf file hosting and a capable RAT — a recipe that can scale quickly if user awareness or controls are weak. Even though CERT-UA reports only limited infections this time, the campaign highlights ongoing trends: threat actors exploiting trust in official communications, use of password-protected archives to evade inspection, and the rapid emergence of new groups like CyberSerp claiming politically motivated operations.

For defenders: reinforce email authentication and filtering, block or closely inspect archive downloads from public file hosts, enforce application allowlisting, and run targeted user awareness for staff about unsolicited security alerts. Verify any urgent-seeming notices through independent channels (official CSIRT domains, verified phone numbers or out-of-band confirmation) before acting.

Source

Source: https://therecord.media/pro-russian-hackers-posing-as-ukrainian-cyber-agency