The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed a sophisticated phishing campaign where threat actors impersonated the cybersecurity agency itself to distribute AGEWHEEZE, a remote administration tool. The campaign, attributed to threat group UAC-0255, targeted recipients with fraudulent emails appearing to originate from CERT-UA.

The attack occurred over two days in March 2026, with malicious emails sent on March 26 and 27. The campaign reached approximately 1 million email addresses, representing a significant scale of operations that demonstrates the threat actors' extensive distribution capabilities.

The attack vector involved sending emails that impersonated official CERT-UA communications, with recipients receiving password-protected ZIP archives as attachments. This technique is commonly used to evade email security filters and automated detection systems, as the password protection prevents security tools from analyzing the malicious payload.

CERT-UA has not yet disclosed specific mitigation measures or whether patches are available for the AGEWHEEZE malware. The agency's public disclosure serves as a warning to Ukrainian organizations and individuals to verify the authenticity of emails claiming to be from CERT-UA before opening attachments or following instructions.

This campaign represents a concerning trend of threat actors impersonating trusted cybersecurity organizations to enhance the credibility of their attacks. The use of CERT-UA's reputation demonstrates the attackers' understanding of the Ukrainian threat landscape and their attempt to exploit trust relationships within the cybersecurity community.