CABINETRAT Backdoor Deployed via XLL Add-ins in Ukraine

First reported

01.10.2025 10:11

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a new targeted cyber attack campaign using the CABINETRAT backdoor. The campaign, attributed to the threat cluster UAC-0245, involves the distribution of malicious XLL add-ins via Signal messaging app. These add-ins, disguised as legitimate documents, are used to deploy the CABINETRAT backdoor, which gathers system information and executes commands on compromised hosts. The attack was observed in September 2025, with the malicious files distributed within ZIP archives shared on the Signal messaging app. The XLL files create multiple executables and registry modifications to ensure persistence and evade detection. The backdoor communicates with a remote server over a TCP connection.

Timeline

01.10.2025 10:11 1 articles · 15h ago

CABINETRAT Backdoor Deployed via XLL Add-ins in Ukraine
In September 2025, a targeted cyber attack campaign using the CABINETRAT backdoor was observed in Ukraine. The campaign involves the distribution of malicious XLL add-ins via the Signal messaging app, disguised as legitimate documents. The backdoor gathers system information, executes commands, and includes anti-VM and anti-analysis procedures to evade detection. The attack is attributed to the threat cluster UAC-0245.
Show sources

Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs — thehackernews.com — 01.10.2025 10:11
Open in new tab

Information Snippets

The CABINETRAT backdoor is distributed via XLL add-ins disguised as legitimate documents.
First reported: 01.10.2025 10:11

1 source, 1 article
Show sources
- Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs — thehackernews.com — 01.10.2025 10:11
The XLL files are distributed within ZIP archives shared on the Signal messaging app.
First reported: 01.10.2025 10:11

1 source, 1 article
Show sources
- Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs — thehackernews.com — 01.10.2025 10:11
The XLL add-ins create executables and registry modifications to ensure persistence.
First reported: 01.10.2025 10:11

1 source, 1 article
Show sources
- Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs — thehackernews.com — 01.10.2025 10:11
The backdoor gathers system information, enumerates directory contents, and executes commands.
First reported: 01.10.2025 10:11

1 source, 1 article
Show sources
- Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs — thehackernews.com — 01.10.2025 10:11
The backdoor includes anti-VM and anti-analysis procedures to evade detection.
First reported: 01.10.2025 10:11

1 source, 1 article
Show sources
- Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs — thehackernews.com — 01.10.2025 10:11
The backdoor communicates with a remote server over a TCP connection.
First reported: 01.10.2025 10:11

1 source, 1 article
Show sources
- Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs — thehackernews.com — 01.10.2025 10:11