The Campaign
On 26 and 27 March 2026, threat actors tracked as UAC-0255 conducted a targeted spear-phishing campaign against Ukrainian organisations using impersonation of CERT-UA โ Ukraineโs national Computer Emergency Response Team, a trusted cybersecurity authority.
The lure emails were crafted to appear as official CERT-UA security advisories or alerts, urging recipients to install โspecialised softwareโ distributed as a password-protected ZIP archive hosted on the legitimate file-sharing service Files.fm. The password-protection mechanism serves dual purposes: bypassing automated email security scanning and creating the appearance of authenticated, controlled distribution that increases trust.
Targeted sectors included:
- Ukrainian government and state organisations
- Medical centres and healthcare institutions
- Cybersecurity and technology companies
- Educational institutions
- Financial institutions
Tactics and Significance
The use of CERT-UA impersonation is particularly effective against security-conscious targets. Recipients in IT and security roles who would normally be sceptical of attachments may lower their guard when the sender appears to be the national CSIRT, which routinely distributes malware analysis reports, indicator sets, and patching advisories.
UAC-0255 is a Ukrainian Computer Emergency Response Team tracking identifier for an intrusion set with suspected Russian state nexus. The group has conducted multiple campaigns against Ukrainian critical infrastructure, leveraging themed lures aligned with the ongoing conflict to target individuals whose roles require engagement with security communications.
Broader Relevance for Enterprise Defenders
While the immediate targeting is Ukrainian, this campaign illustrates several techniques with universal applicability:
Authority impersonation: Spoofing trusted cybersecurity authorities (CERT-UA, CISA, NCSC, national CERTs) to deliver malware to the very organisations most likely to scrutinise suspicious communications. Defenders should verify sender domains carefully โ legitimate CERT-UA communications originate from cert.gov.ua domain addresses.
File hosting bypass: Distributing payloads through legitimate cloud file hosting services (Files.fm, OneDrive, Google Drive, Dropbox) bypasses many email security gateway URL reputation checks. Security teams should consider whether their DLP and content inspection policies apply to archives delivered from file hosting services.
Password-protected archives: Password protection defeats automated scanning and creates perceived legitimacy. Most enterprise email security solutions cannot inspect the contents of password-protected archives. Treat all password-protected archives from unexpected or unverified sources as high risk.
Sector targeting pattern: The simultaneous targeting of government, healthcare, finance, and technology in a single campaign reflects intelligence-collection objectives that extend beyond any single sector.
Recommended Actions
- Brief staff โ particularly IT, security, finance, and executive teams โ on impersonation of national cybersecurity authorities; verify any communications claiming to be from CERTs against the official domain before opening attachments
- Review email security gateway policies for handling password-protected archives: consider quarantining or blocking encrypted archives from external senders absent business justification
- Apply URL detonation to file-sharing service links in email โ even from legitimate hosting services, links to archives should be analysed before delivery
- Check for IOCs: if your organisation received emails claiming to be from CERT-UA or similar authorities in late March, treat them as suspicious and verify against CERT-UAโs official communications channels
- If operating in or partnering with Ukrainian organisations: notify relevant contacts about this campaign and share indicators through MISP or similar threat intelligence platforms