A pro-Russian hacker group impersonated Ukraine’s national cyber incident response team in a phishing campaign targeting government agencies, businesses, and other institutions, Ukrainian cybersecurity officials said.

Researchers from Ukraine’s computer emergency response team (CERT-UA) said Sunday the attackers, tracked as UAC-0255, sent emails last week posing as the agency. The messages arned recipients about a supposed “large-scale cyberattack” allegedly being prepared by Russia against Ukrainian critical infrastructure.

The emails urged recipients to download a password-protected archive from the file-sharing service Files.fm and install what was described as specialized security software meant to protect vulnerable systems. The hackers warned that ignoring the message could lead to “serious consequences.”

The file contained a remote administration tool dubbed AgeWheeze, which allows attackers to remotely control infected computers. According to CERT-UA, the malware supports a wide range of capabilities, including executing commands, managing files and processes, streaming screen content, emulating mouse and keyboard input, and accessing the clipboard.

The phishing emails targeted organizations across multiple sectors, including government institutions, medical centers, financial companies, security firms, universities, and software developers.

CERT-UA said the campaign was largely unsuccessful and resulted in only a small number of infections, mainly on personal devices belonging to employees of educational institutions.

The agency said the operation may be linked to the CyberSerp hacker group, which later claimed responsibility for the attack on its Telegram channel. CERT-UA said it found the phrase “From Cyber Serp with Love” embedded in the code of a fake website used in the campaign.

In posts on Telegram, the group claimed it had sent malicious emails to roughly one million users of Ukr.net, a widely used Ukrainian email service, and compromised more than 200,000 devices. CERT-UA did not confirm those figures.

The hackers also praised CERT-UA’s investigation and thanked the agency for what they described as “advertising” their Telegram channel.

Emerging threat actor

CyberSerp is a relatively new threat actor targeting Ukraine. Its Telegram channel was created in November 2025, where the group describes itself as a “cyber-partisan movement” and claims Ukrainian origins.

The group has previously attempted to recruit collaborators in Ukraine, promising payment for “valuable information.”

CyberSerp has also claimed responsibility for a separate alleged breach of the Ukrainian cybersecurity company Cipher, alleging it obtained a full dump of the company’s servers, including internal correspondence and a database of clients that allegedly included government institutions.

Cipher acknowledged that attackers compromised the credentials of an employee at one of its contractors but said there was no breach of its core infrastructure. According to the company, the compromised account had access only to a single project that did not contain sensitive security information or personal data.