Threat Actor UAC‑0255 Impersonates CERT‑UA to Distribute AGEWHEEZE RAT via Phishing Campaign
What Happened – A threat group identified as UAC‑0255 spoofed the Ukrainian national CERT (CERT‑UA) in a massive phishing drive that reached roughly 1 million recipients. The emails contained a password‑protected archive hosted on Files.fm; the archive installed a fake “security tool” that was actually the AGEWHEEZE remote‑access trojan.
Why It Matters for TPRM –
- Phishing attacks that masquerade as trusted government entities can bypass standard vendor vetting processes.
- The RAT provides full system control, enabling data exfiltration, credential theft, and lateral movement across third‑party environments.
- The use of AI‑generated spoof sites and public file‑sharing services lowers the barrier for similar supply‑chain attacks against vendors.
Who Is Affected – Government agencies, medical centers, security firms, universities, banks, and software development companies in the EU/EEU region.
Recommended Actions –
- Verify that all third‑party email gateways enforce DMARC, DKIM, and SPF for government domains.
- Instruct vendors to block downloads from public file‑sharing services unless explicitly approved.
- Conduct phishing‑simulation training focused on spoofed CERT communications.
Technical Notes – The campaign leveraged a phishing email with a password‑protected ZIP (password shared in the body) delivered via Files.fm. The payload, AGEWHEEZE, is a multi‑function RAT capable of command execution, file manipulation, screen capture, clipboard harvesting, and persistence via registry or scheduled tasks. C2 traffic uses WebSockets and the command server was hosted on OVH infrastructure. Source: Security Affairs