AGEWHEEZE Delivery: When CERT-UA Becomes the Attack Vector
Just caught the latest report on the UAC-0255 campaign impersonating CERT-UA. It’s a textbook example of the trust chain being weaponized. On March 26-27, threat actors sent out emails masquerading as the Ukrainian CERT to distribute AGEWHEEZE, a fairly nasty RAT.
The delivery method is the real kicker here—password-protected ZIP archives. It’s an old trick, but it still works because it bypasses most email gateway sandbox detonations. The password is usually in the body text, so the user actively "unlocks" the malware. Since there isn't a CVE involved in the delivery mechanism (it's pure social engineering), we have to rely heavily on behavioral analytics on the endpoint.
I’ve thrown together a quick Sigma rule to catch the execution chain, assuming the dropper uses a PowerShell one-liner to unpack the payload, which is consistent with AGEWHEEZE’s observed behavior:
title: Potential AGEWHEEZE RAT Execution
status: experimental
description: Detects suspicious PowerShell execution patterns associated with UAC-0255 AGEWHEEZE dropper.
references:
- https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\winword.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains:
- ' -enc '
- 'DownloadString'
- 'IEX'
condition: selection
level: high
Has anyone seen IOCs for the C2 infrastructure yet? I'm particularly interested if they are using standard HTTP/HTTPS or if they’ve moved to something more obfuscated like DNS tunneling.
Good catch on the Sigma rule. We actually caught a variant of this last week in our honeypot. The C2 infrastructure was strictly HTTPS, but they were using valid Let's Encrypt certificates, which made SSL inspection a nightmare without proper certificate pinning.
We modified our transport rules to block zip files entirely unless they come from internal whitelisted senders. It's aggressive, but given the volume (1M emails reported), it saved us a lot of headaches.
We rely on Mark of the Web (MotW) filtering for this. Since these files come from the internet, they should be tagged. We have a strict ASR rule (ASR Rule ID: 'Block Office applications from creating child processes') that would kill the PowerShell execution chain you mentioned immediately.
If you haven't enabled Attack Surface Reduction rules yet, this campaign is a perfect reason to start.
Impersonating a CERT agency is bold. It destroys the credibility of actual alerts. From a pentesting perspective, this is the ultimate 'call to action' phishing pretext. Users are trained to trust security warnings.
Just be careful with that generic PowerShell Sigma rule; it might flag legitimate administrative scripts if you don't tune the ParentImage or exclude signed scripts.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access