Pierluigi Paganini October 02, 2025

CERT-UA warns UAC-0245 targets Ukraine with CABINETRAT backdoor via malicious Excel XLL add-ins spotted in Sept 2025.

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyberattacks by the group UAC-0245 using the CABINETRAT backdoor. The campaign, seen in September 2025, involved malicious Excel XLL add-ins posing as software tools (e.g. “UBD Request.xll”, “recept_ruslana_nekitenko.xll”).

The files are executable (PE, Portable excutable) that can be loaded by the Excel Add-in Manager using the procedure (exported function) “xlAutoOpen”.

Targeted individuals reported that attackers tried to spread the malicious file “500.zip” via Signal, disguising it as a border detention document in Ukraine.

“Subsequently, a message was received from the participants in the information exchange about the recording of an attempt to distribute the file “500.zip” using Signal under the guise of a document regarding the detention of persons who were trying to cross the state border of Ukraine.” reads the report published by CERT-UA.

When launched, the XLL drops an EXE in the Startup folder, an XLL named “BasicExcelMath.xll” in %APPDATA%, and a PNG called “Office.png.” It then modifies the Windows Registry to maintain persistence, starts Excel in hidden mode, and runs the XLL add-in. The XLL extracts and executes CABINETRAT shellcode from the PNG file.

The XLL payload and its shellcode include anti-analysis checks. They verify the presence of at least two CPU cores and 3GB RAM and virtualization platforms (VMware, VirtualBox, Xen, QEMU, Parallels, Hyper-V), to evade detection. They also verify the user SID doesn’t end with “500”; and check the PEB debug flag.

“Considering the novelty of tactics, techniques, and procedures, and not taking into account known cases of using XLL files in targeted cyberattacks carried out by the UAC-0002 group, in particular, against critical infrastructure facilities in Ukraine, a separate identifier UAC-0245 has been created to track the described activity.” continues the report.

CABINETRAT is a C-written shellcode tool that gathers OS and installed-program data. The malicious code runs commands, handles files, takes screenshots and connects to a C2 over TCP. It first probes ports 18700, 42831, 20046 and 33976 (port-knock-like).

Most messages compress with MSZIP and split if too large. Main message types:

• 0: handshake (“Ninja” → server replies “Bonjour”)
• 1: run a program and send results
• 2: send command output
• 4: send a requested file to the server (exfiltrate)
• 5: receive and save a file from the server
• 6: send BIOS GUIDs after handshake
• 7: send OS version info (from Windows registry)
• 8: report connected disks
• 9: list installed programs (registry uninstall keys)
• 10: list directory contents (path + search mask)
• 11: take and send a screenshot
• 12: send an error code
• 13: delete a file or folder

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)