CERT-UA Warns: New Espionage Campaign Distributes CABINETRAT Backdoor via Signal Messenger XLL Files

CERT-UA has detected a new targeted campaign against Ukraine in which operators distribute malicious XLL modules inside ZIP archives via the Signal messenger, ultimately delivering the CABINETRAT backdoor to victims’ machines. The agency attributes the incidents to a cluster labeled UAC-0245 and provides a detailed analysis of the attack logic and the malware’s obfuscation techniques.

The intrusion begins with a ZIP archive sent through Signal, masquerading as a document about detentions at the border. The archive contains an XLL file — an Excel add-in. When executed, the add-in creates several artifacts on the host: an executable dropped into an autorun folder, the XLL itself saved as BasicExcelMath.xll under %APPDATA%\Microsoft\Excel\XLSTART\, and an image file named Office.png.

Registry entries are then modified to ensure persistence, after which Excel is stealthily launched with the /e parameter, causing the XLL add-in to be loaded and executed without presenting a visible interface. The add-in’s principal purpose is to read shellcode encoded within the PNG file — the CABINETRAT payload — and hand it off for execution.

CERT-UA notes that both the XLL and the embedded shellcode employ anti-analysis measures: checks for hardware characteristics (at least two CPU cores and a minimum of 3 GB RAM) and probes for virtualization artifacts (VMware, VirtualBox, Xen, QEMU, Parallels, Hyper-V). If the environment resembles a sandbox, the malware will not activate.

CABINETRAT, written in C, implements a full remote-access toolset: collection of system inventory and installed-software lists, screenshot capture, directory traversal and enumeration, selective file and folder deletion, remote command execution, and file transfer. Command and control is performed over a TCP connection.

According to CERT-UA, distribution via Signal and carefully crafted message subjects raise the likelihood recipients will open the attachments, while the use of XLL add-ins bypasses typical mail filters and heuristic AV detection, since Excel add-ins are less rigorously inspected than macros. The activity has been assigned the label UAC-0245.

Administrators are advised to strengthen filtering of incoming archives, block execution of unsigned XLL modules, and audit Office add-ins’ autorun settings. Key recommendations include disabling automatic opening of messenger attachments, enforcing a strict allowlist for trusted Office add-ins, monitoring network traffic for anomalous TCP connections, and promptly investigating suspicious registry or autorun changes. Organizations should also circulate examples of the disguise techniques seen in the campaign to reduce the chance of users clicking on malicious archives.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy