UAC-0252

UAC-0252 is a threat cluster tracked by CERT-UA and associated in CERT-UA reporting with individuals discussed on the Telegram channel "PalachPro." The activity targets Ukraine, including Ukrainian government institutions, central executive authorities, and regional administrations, and uses phishing emails impersonating Ukrainian government bodies and regional administrations. Lures have included themes related to updating widely used civilian and military mobile applications and documents impersonating Ukrainian government institutions, including the Bureau of Economic Security of Ukraine. CERT-UA reported repeated campaigns beginning in January 2026. Delivery methods included attached archives containing EXE payloads and links to legitimate but XSS-vulnerable websites that executed JavaScript and downloaded executables. GitHub-hosted payloads and scripts were used in the campaigns. Reporting also tied the cluster to campaigns using LNK, HTML, ZIP, and RAR lures, and to activity exploiting or attempting to exploit the WinRAR vulnerability CVE-2025-8088. Malware and tooling directly associated with UAC-0252 in the provided content include SHADOWSNIFF, SALATSTEALER, and DEAFTICK, with a GitHub repository also containing a program with ransomware-like characteristics internally named "AVANGARD ULTIMATE v6.0" and an archive containing an exploit for CVE-2025-8088. Hunt.io reporting states that infrastructure at Beget LLC hosted activity tied to the UAC-0252 campaign, which impersonated Ukrainian government institutions and deployed SHADOWSNIFF and SALATSTEALER through CVE-2025-8088. Observed tradecraft includes phishing, impersonation of Ukrainian institutions, abuse of legitimate websites with XSS for payload delivery, use of GitHub for hosting payloads and scripts, archive-based delivery chains, and persistence via a Run key value named WindowsUpdateService pointing to %TMP%\svchost.exe, along with attempts to hide the file and add a Microsoft Defender exclusion. Additional reporting noted overlap between a March 2026 phishing campaign using nested RAR archives and the UAC-0252 cluster, but that attribution was assessed with low confidence. The provided content does not conclusively identify UAC-0252 as a nation-state actor, although the campaigns are Ukraine-focused and use government-themed lures.