嗯,用户让我总结一下这篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”之类的开头。好的,我先仔细读一下文章。 文章讲的是一个威胁行为者UAC-0255伪装成CERT-UA,发送钓鱼邮件传播AGEWHEEZE恶意软件。他们假装是CERT-UA,给大约100万用户发邮件,诱导他们下载一个密码保护的压缩包,并安装所谓的“专用软件”,实际上是恶意软件。 AGEWHEEZE是一种远程控制工具,支持执行命令、文件管理、截图等功能,并通过注册表、启动项或计划任务确保持久性。攻击者还创建了一个仿冒的网站cert-ua.tech来传播这个恶意软件,并且假扮成CYBER SERP组织,声称对攻击负责。 这次攻击主要针对政府机构、医疗机构等,虽然影响有限,但显示了AI在攻击中的作用。CERT-UA帮助控制了这次事件,并建议组织减少攻击面和加强安全措施。 现在我要把这些信息浓缩到100字以内。首先确定主要点:伪装CERT-UA、钓鱼邮件、AGEWHEEZE恶意软件、远程控制功能、仿冒网站、影响有限。 然后组织语言,确保流畅且信息完整。比如:“威胁行为者UAC-0255伪装成CERT-UA发送钓鱼邮件,诱导用户下载并安装AGEWHEEZE恶意软件。该软件可实现远程控制,并通过仿冒网站传播。尽管感染数量有限,但凸显AI在网络安全中的威胁。” 检查一下字数是否在100字以内,并且没有使用不需要的开头语句。 </think> 威胁行为者UAC-0255伪装成CERT-UA发送钓鱼邮件,诱导用户下载并安装AGEWHEEZE恶意软件。该软件可实现远程控制,并通过仿冒网站传播。尽管感染数量有限,但凸显AI在网络安全中的威胁。 2026-4-2 14:2:18 Author: securityaffairs.com(查看原文) 阅读量:7 收藏
Threat actor UAC-0255 impersonate CERT-UA to spread AGEWHEEZE malware via phishing
Threat actors impersonated CERT-UA to send phishing emails with AGEWHEEZE malware, tricking victims into installing a fake “security tool.”
A threat actor, tracked as UAC-0255, impersonated CERT-UA in a phishing campaign, sending emails to about 1 million users. The messages urged victims to download a password-protected archive from Files.fm and install a fake “specialized software,” which actually deployed the AGEWHEEZE remote access tool, giving attackers control over infected systems.
“The National Cyber Incident, Cyber Attack, and Cyber Threat Response Team CERT-UA recorded cases of distribution of emails allegedly on behalf of CERT-UA on March 26-27, 2026, urging people to download a password-protected archive (“CERT_UA_protection_tool.zip”, “protection_tool.zip”) from the Files.fm service and install “specialized software”.” reads the advisory published by CERT-UA. “It was found that the executable file that was offered to be installed (internal package name: “/example.com/tvisor/agent”) is a multifunctional software tool for remote computer control, classified by CERT-UA as AGEWHEEZE.”
AGEWHEEZE supports command execution, file management, screen capture, input control, and process/service management. It ensures persistence via registry, startup, or scheduled tasks, installing itself in AppData paths. The malware communicates with its server via WebSockets and can also steal clipboard data, run commands, and control system actions.
The campaign targeted government organizations, medical centers, security companies, educational institutions, financial institutions, software development companies, and others.
The attackers created a fake website (cert-ua[.]tech) mimicking the real CERT-UA site to spread the fake “security tool” that is actually AGEWHEEZE malware. The tool allows remote control of infected systems. CERT-UA experts state that the command server is hosted on OVH infrastructure and includes a login page (“The Cult”) with Russian-language elements, suggesting the attackers’ origin or links.
The fake site cert-ua[.]tech includes links to a Telegram channel claiming responsibility for the attack, confirming attribution to UAC-0255.
The fake site was likely AI-generated and included references to “CYBER SERP,” a group active since late 2025, claiming responsibility. The group says it sent phishing emails to 1 million users and infected over 200,000 devices, though this is unverified.
The campaign had a limited impact, infecting only a few devices in educational institutions. CERT-UA experts helped contain it. The case shows how AI can make cyberattacks easier, and highlights the need to reduce attack surfaces and use security tools like AppLocker and system protections.
Authorities thanked Ukrainian telecom providers for supporting cyber defense efforts and sharing threat information. They also warned that AI is making attacks easier, urging organizations to reduce attack surfaces and strengthen security using system protections and dedicated tools.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
如有侵权请联系:admin#unsafe.sh