Ukrainian CERT-UA Targeted in Phishing Campaign Distributing AGEWHEEZE Malware The Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered a sophisticated phishing campaign in which threat actors impersonated the agency to distribute the AGEWHEEZE remote administration trojan. The attacks, attributed to the group UAC-0255, occurred on March 26–27, 2026, targeting state organizations, medical centers, security firms, educational institutions, financial entities, and software developers. Emails were sent from the spoofed address incidents@cert-ua[.]tech, urging recipients to download a password-protected ZIP file ("CERT_UA_protection_tool.zip") hosted on Files.fm. The archive contained malware disguised as legitimate security software, later identified as AGEWHEEZE, a Go-based remote access trojan (RAT). AGEWHEEZE establishes communication with a command-and-control server (54.36.237[.]92) via WebSockets and supports extensive malicious functionality, including command execution, file manipulation, clipboard hijacking, input emulation, screenshot capture, and process management. It ensures persistence through scheduled tasks, Windows Registry modifications, or Startup directory entries. CERT-UA reported the campaign had limited success, with only a few infections detected primarily on personal devices of educational institution employees. The agency provided remediation support to affected parties. Investigations revealed the fraudulent domain cert-ua[.]tech was likely generated using AI tools, with its HTML source code containing a Russian-language comment: "С Любовью, КИБЕР СЕРП" ("With Love, CYBER SERP"). The threat actor, operating under the alias Cyber Serp, claims to be a Ukrainian "cyber-underground" collective with over 700 Telegram subscribers (channel created in November 2025). In Telegram posts, Cyber Serp asserted the phishing campaign targeted 1 million ukr[.]net mailboxes, claiming over 200,000 devices were compromised. The group also took responsibility for a February 2026 breach of Ukrainian cybersecurity firm Cipher, alleging access to server dumps, client databases, and source code for its CIPS products. Cipher confirmed the incident but stated the compromised employee had access only to a non-sensitive project, with no impact on its infrastructure.

In March 2025, CERT-UA, Ukraine's state computer emergency response team, detected three targeted cyberattacks utilizing WRECKSTEEL malware to exfiltrate sensitive data from government agencies and critical infrastructure. The attacks involved sending spear-phishing emails with malicious links to install VBScript and PowerShell-based versions of the WRECKSTEEL stealer, which searched for and extracted a variety of sensitive file types and took screenshots for reconnaissance and further exploitation. The lack of persistence mechanisms in these tools necessitates immediate reporting of cyber intrusion signs to CERT-UA to initiate protective actions. These incidents underscore the persistent threat landscape facing Ukrainian digital infrastructure in a geopolitically tense environment.

The Belarus-linked APT group GhostWriter targeted Ukrainian governmental organizations with PicassoLoader malware, distributing documents with malicious macros. These documents, which pertained to taxation and financial-economic metrics, were aimed at project office specialists and local government employees. This strategy suggests an intention for cyber espionage against the Ukrainian government. Mandiant linked GhostWriter to Belarus, known for disinformation and news website CMS compromises. The campaign impacted both Ukraine's internal governance and could potentially affect Eastern European regional stability.

Microsoft Patches Actively Exploited Zero-Day in Office (CVE-2026-21509) On January 26, 2026, Microsoft released emergency out-of-band security updates to address CVE-2026-21509, a zero-day vulnerability in Microsoft Office that attackers are actively exploiting. The flaw, rated "Important" with a CVSS score of 7.8, allows threat actors to bypass OLE mitigations by leveraging untrusted inputs in security decisions. The vulnerability enables local attackers to circumvent Office protections after tricking users into opening malicious files typically via phishing or social engineering. Exploitation requires low complexity, no privileges, and user interaction, but results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The Microsoft Threat Intelligence Center (MSTIC) confirmed active exploitation, marking it as the second zero-day patched this month following January’s Patch Tuesday updates. ### Affected Products & Mitigation The flaw impacts legacy and current Office editions, including: - Office 2016 (32/64-bit) – KB5002713 (Build 16.0.5539.1001) - Office LTSC 2024/2021 – Automatic service-side protection post-restart - Microsoft 365 Apps (Enterprise) – Automatic updates - Office 2019 – Build 16.0.10417.20095 Office 2016/2019 users must apply updates or manually adjust the registry by adding a DWORD "Compatibility Flags" (value 400) under: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}` (Paths may vary for Click-to-Run deployments; registry backups are recommended.) ### Threat Landscape & Recommendations While no public proof-of-concept (PoC) or attributed threat actors have been disclosed, organizations are advised to prioritize patching, enable auto-updates, and monitor for phishing indicators of compromise (IOCs) particularly suspicious Office attachments. Attackers frequently exploit such vulnerabilities for ransomware or APT initial access, making EDR monitoring for COM/OLE anomalies critical. The CISA Known Exploited Vulnerabilities (KEV) catalog may list this flaw in the near future.