Hackers Sent Fake Government Cyber Alerts to Trick Ukraine Into Installing a Backdoor

Who Was Targeted

The campaign cast a wide net across Ukrainian institutions:

• Government institutions
• Medical centers and hospitals
• Financial companies and banks
• Security firms
• Universities and educational institutions
• Software development companies

The group later claimed on Telegram that it sent approximately one million emails to Ukr.net users. CERT-UA disclosed that the campaign was "largely unsuccessful," resulting in only a small number of infections, mostly on personal devices belonging to employees of educational institutions.

Who Is CyberSerp

CERT-UA identified the phrase "From Cyber Serp with Love" embedded in the campaign code. CyberSerp is a relatively new threat actor that emerged in November 2025. The group identifies itself as a "cyber partisan movement" and claims Ukrainian origins, but its operations consistently advance pro Russian objectives.

The tactic of impersonating a country's own cyber defense agency is particularly insidious. It exploits the trust that citizens and organizations place in government security advisories, the very warnings designed to protect them. When a government alert says "download this patch immediately," most recipients comply without questioning it.

Why This Matters Beyond Ukraine

Government impersonation attacks are not unique to the Russia Ukraine conflict. The technique works anywhere trust in official communications exists:

• In the US, the IRS and CISA regularly warn about phishing emails impersonating government agencies
• Tax season phishing campaigns impersonating the IRS recently hit 29,000 users across 10,000 companies
• Fake security alerts from platforms like Google and Microsoft are among the most effective phishing lures because recipients believe they are protecting themselves by clicking

The CyberSerp campaign demonstrates how cyber operations in active conflict zones serve as testing grounds for techniques that eventually spread worldwide. An attack that works against Ukrainian government workers today can be adapted for corporate employees in any country tomorrow.

How to Spot Fake Government Alerts

Legitimate government cyber agencies follow predictable patterns. Watch for these red flags:

• Real CERT advisories link to official government domains, not third party file sharing services like Files.fm or Google Drive
• Government agencies do not distribute software patches via email attachments. They direct you to official vendor websites
• Password protected archives are a classic phishing technique designed to bypass email security scanners
• Urgency language like "immediate action required" paired with a download link is almost always malicious
• Verify alerts independently by visiting the agency's website directly rather than clicking links in the email

The Bigger Picture

This campaign sits within an escalating pattern of state aligned cyber operations targeting Ukraine and its allies. Russia's military intelligence unit APT28 has conducted similar email based attacks exploiting CSS vulnerabilities in Zimbra webmail. Other groups have impersonated everything from delivery services to telecom providers.

The CyberSerp campaign's low success rate suggests Ukrainian organizations have developed strong defenses after years of persistent targeting. But the approach of weaponizing government trust is a warning to every other country: your official cyber alerts could be spoofed next.