Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UAC-0245 CABINETRAT delivery campaign targeting Ukraine

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A UAC-0245 campaign is using the CABINETRAT backdoor to target Ukraine, creating persistent access for reconnaissance and file transfer. The operation matters because the malicious XLL files are being delivered inside ZIP archives shared on Signal, increasing the chance of stealthy execution. Observed in September 2025, the activity combines a social-engineering lure with post-compromise tooling and anti-analysis checks. The delivery chain shows a coordinated intrusion operation rather than isolated malware use.

Related Happenings

GopherWhisper China-aligned APT campaign targeting Mongolian government institutions

Campaign
First: 23.04.2026 12:04 Last: 23.04.2026 12:04 Sources 1

About this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...

Open Happening

SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh

Campaign
First: 03.03.2026 08:53 Last: 03.03.2026 08:53 Sources 1

About this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...

Open Happening

SloppyLemming BurrowShell and Rust-based keylogger activity

Malware Activity
First: 03.03.2026 08:53 Last: 03.03.2026 08:53 Sources 1

About this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...

Open Happening

Mustang Panda PlugX DOPLUGS deployment chain for persistent access

Malware Activity
First: 04.02.2026 16:09 Last: 04.02.2026 16:09 Sources 1

About this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...

Open Happening

DCRat delivered through PowerShell and MSBuild in PHALT#BLYX

Malware Activity
First: 06.01.2026 14:13 Last: 06.01.2026 14:13 Sources 1

About this happening: **SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...

Open Happening

Timeline

  1. 01.10.2025 10:11 2 articles · 7mo ago

    CERT-UA warns of CABINETRAT attacks in Ukraine

    Initial Disclosure

    CERT-UA warned of new targeted cyber attacks in Ukraine using the CABINETRAT backdoor, saying it found XLL add-ins delivered in ZIP archives via Signal and disguised as border-detention documents, and attributing the activity observed in September 2025 to UAC-0245.

    Show sources
    Open in new tab