SHADOWSNIFF

SHADOWSNIFF is an information-stealing malware/credential stealer described by CERT-UA as a GitHub-hosted stealer. Public reporting places it in phishing campaigns targeting Ukrainian government institutions and other Ukrainian-speaking organizations during January-February 2026, tracked as UAC-0252. In these campaigns, emails impersonated Ukrainian central executive bodies and regional administrations and urged recipients to update widely used civilian and military mobile applications. Delivery methods included attached archives containing executables, links to legitimate but XSS-vulnerable websites that executed JavaScript and downloaded an executable, and exploitation of the WinRAR vulnerability CVE-2025-8088. SHADOWSNIFF was deployed alongside SALATSTEALER, and CERT-UA also reported DEAFTICK in the same activity cluster. The activity has been associated by CERT-UA with individuals discussed on the Telegram channel “PalachPro.” Reported SHADOWSNIFF file indicators include updateV3.23.exe with MD5 2591d145ff510f7fc4d6290d3bfcb130 and SHA-256 3abf295b79992532b03261a81643124d134fa7e86fb901b3bfc74ad0f192dc7f, and another updateV3.23.exe variant with MD5 b6480aa6c364715a21ba28c4d26a5b6e and SHA-256 c2a4212573d7566acf5b610b4ce3598237acd37459670daa1b6950f107d50e03. Related network indicators reported in the same campaign include http://150.241.64.21:8888/client/addclient, http://95.85.224.14:8000/client/addclient, https://nfkavn.bond/client/addclient, and SALATSTEALER-related paths on salat.cn and salator.ru. Host-based behaviors reported for the campaign include hiding %TMP%\svchost.exe, adding a Microsoft Defender exclusion for it, and creating a Run key persistence value WindowsUpdateService pointing to %TMP%\svchost.exe.