The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new targeted cyber attacks in the country using a backdoor called CABINETRAT.
The activity, observed in September 2025, has been attributed to a threat cluster it tracks as UAC-0245. The agency said it spotted the attack following the discovery of software tools taking the form of XLL files, which refer to Microsoft Excel add-ins that are typically used to extend the functionality of Excel with custom functions.
Further investigation has uncovered that the XLL files are distributed within ZIP archives shared on the Signal messaging app, disguised as a document concerning the detention of individuals who had attempted to cross the Ukrainian border.
The XLL, once launched, is designed to create a number of executables on the compromised host, namely an EXE file in the Startup folder, an XLL file named “BasicExcelMath.xll” in the “%APPDATA%MicrosoftExcelXLSTART” directory, and a PNG image named “Office.png.”
Windows Registry modifications are done to ensure persistence of the executable, after which it launches the Excel application (“excel.exe”) with the “/e” (“/embed”) parameter in hidden mode in order to ultimately run the XLL add-in. The main purpose of the XLL is to parse and extract from the PNG file shellcode that’s classified as CABINETRAT.
Both the XLL payload and the shellcode come with a number of anti-VM and anti-analysis procedures to evade detection, including checking for at least two processor cores and at least 3GB of RAM, and the presence of tools like VMware, VirtualBox, Xen, QEMU, Parallels, and Hyper-V.
A full-fledged backdoor written in the C programming language, CABINETRAT is mainly designed to gather system information, a list of installed programs, screenshots, as well as enumerate directory contents, deleting specific files or directories, running commands, and carrying out file uploads/downloads. It communicates with a remote server over a TCP connection.
The disclosure comes days after Fortinet FortiGuard Labs warned of attacks targeting Ukraine by impersonating the National Police of Ukraine in a fileless phishing campaign that delivers Amatera Stealer and PureMiner for harvesting sensitive data and mining cryptocurrency from targeted systems.
