Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks

Impersonation attacks have surged as cybercriminals exploit the inherent trust placed in government communications. In this case, the attackers leveraged AI to clone CERT‑UA’s web presence within a day, creating a convincing phishing portal that appeared on a .tech domain. By mimicking official language and branding, the campaign increased click‑through rates, illustrating how automated content generation can accelerate the planning and execution of sophisticated social‑engineering operations.

The payload, AGEWHEEZE, is a Go‑written remote‑access Trojan that provides attackers with granular control over infected Windows machines. Its capabilities include screen capture, keystroke injection, file system manipulation, and persistence through registry keys, startup folders, or scheduled tasks. Communication is routed over encrypted WebSocket connections to a server hosted on OVH, a popular European cloud provider, making network‑based detection more challenging. The use of a legitimate file‑sharing service (Files.fm) for distribution further obscured the malicious traffic, underscoring the need for deep packet inspection and threat‑intel feeds that flag atypical file hashes.

For organizations, especially those operating in high‑risk sectors like healthcare and public administration, the incident reinforces the importance of verifying the authenticity of security advisories and software updates. Deploying application whitelisting, enforcing Software Restriction Policies, and leveraging endpoint detection and response (EDR) tools can mitigate the risk of such spoofed deliveries. Moreover, continuous monitoring of DNS anomalies and C2 infrastructure tied to cloud providers can provide early warnings before a breach escalates. As AI lowers the barrier for creating convincing phishing assets, proactive threat‑hunting and user education become essential components of a resilient cyber‑defense strategy.