UAC-0245
UAC-0245 is a threat cluster tracked by CERT-UA and attributed to a targeted September 2025 campaign against Ukrainian organizations, including members of the Ukrainian Officers Union (SOU). CERT-UA created the identifier UAC-0245 due to the novelty of the observed tactics, techniques, and procedures. The activity is described as cyber-espionage targeting Ukraine. The group used malicious Microsoft Excel XLL add-ins delivered via Signal, including a ZIP archive named "500.zip" disguised as a document about detention of people attempting to cross Ukraine’s state border. Reported lure filenames included "UBD Request.xll" and "recept_ruslana_nekitenko.xll." When executed, the XLL payload established persistence by dropping an executable into the Windows Startup folder, placing an XLL add-in such as "BasicExcelMath.xll" under %APPDATA%, and modifying the Windows Registry. The persisted executable launched Excel in hidden mode and loaded the malicious add-in, which extracted CABINETRAT shellcode from a PNG file named "Office.png." In this campaign, UAC-0245 used the CABINETRAT backdoor, described as a C-based shellcode backdoor/full-featured backdoor for stealthy, long-term access, surveillance, and data exfiltration. CABINETRAT capabilities directly mentioned in the content include system and installed-program discovery, command execution, file and directory operations, upload/download and exfiltration, screenshot capture, and TCP command-and-control communications. The malware used anti-analysis and anti-virtualization checks, including CPU and RAM thresholds, virtualization platform checks, PEB debug flag checks, and SID validation. Reported persistence and evasion behaviors included Registry Run keys, Startup folder placement, scheduled tasks, and clearing Excel Resiliency DisabledItems registry entries to re-enable malicious add-ins. The content notes prior targeted XLL use by UAC-0002 against Ukrainian critical infrastructure, but states UAC-0245 was assigned separately because the observed TTPs were novel. No additional aliases or sub-groups for UAC-0245 are provided in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Attributed 2025 targeted campaign against Ukrainian organizations using CABINETRAT delivered via malicious Excel XLL files (disguised as border-related documents) distributed over Signal to gain stealthy access and conduct ongoing surveillance.
UAC-0245 is targeting Ukrainian organizations using the CABINETRAT backdoor for cyberattacks.
CERT-UA tracked cluster conducting targeted cyberattacks (against SOU per the title) using the CABINETRAT backdoor.
Targeted campaign against individuals in Ukraine using malicious Excel XLL add-ins delivered via Signal to install CABINETRAT, establish persistence (Startup folder + registry), evade analysis (VM/anti-debug/resource checks), and perform remote access/exfiltration over a TCP C2 with port-knock-like probing.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.