- The Computer Emergency Response Team of Ukraine (CERT-UA) has identified new targeted cyber attacks using a backdoor named CABINETRAT.
- The attacks were observed in September 2025 and linked to the threat group UAC-0245.
- Malicious Microsoft Excel add-in files (XLL files) are distributed via Signal, disguised as a border detention document.
- CABINETRAT backdoor collects system information, executes commands, and communicates over TCP.
- The backdoor and payload use anti-analysis techniques to evade detection on virtual machines.
In September 2025, the Computer Emergency Response Team of Ukraine (CERT-UA) detected cyber attacks targeting Ukrainian systems. The attacks employed a backdoor called CABINETRAT, delivered through malicious Microsoft Excel add-in files (XLL files). These files were spread using ZIP archives shared on the Signal messaging app, disguised as documents about the detention of individuals trying to cross the Ukrainian border.
CERT-UA attributed the activity to the threat cluster tracked as UAC-0245. The malicious XLL files create several executable files on infected computers, including an EXE in the Startup folder, a copy of the XLL file named “BasicExcelMath.xll” in the Excel startup directory, and a PNG image titled “Office.png.” The Malware modifies Windows Registry settings to maintain persistence and runs Excel in a hidden mode to execute the XLL add-in.
The XLL add-in extracts shellcode stored inside the PNG image. This shellcode, classified as CABINETRAT, is designed as a backdoor written in C. It gathers system information such as installed programs, captures screenshots, lists directory contents, deletes files or directories, executes commands, and transfers files. CABINETRAT communicates with a remote server using a TCP connection.
Both the XLL payload and CABINETRAT incorporate anti-analysis features to avoid detection. They check for virtual environments by detecting virtualization software like VMware and VirtualBox, and require at least two processor cores and 3 GB of RAM before executing.
This announcement follows a recent warning from Fortinet FortiGuard Labs about phishing attacks in Ukraine. Those attacks impersonated the National Police of Ukraine and delivered malware such as Amatera Stealer and PureMiner to steal data and mine cryptocurrency.
For more details on the CERT-UA report, visit their official page here. Information on XLL files can be found at Microsoft’s documentation here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- MSTR Surges 6% After Tax Relief on Bitcoin Gains from Trump Admin
- Injective Launches First On-Chain Pre-IPO Market With OpenAI
- SBI Crypto Allegedly Hides $21M Digital Asset Loss From Members
- Canton Network Sees Surging Usage as Major Institutions Join
- Bitdefender 2025 Report: Rising Breach Secrecy, AI, and Attack Surfaces
