In September 2025, the Computer Emergency Response Team of Ukraine (CERT-UA) detected a targeted cyberattack campaign attributed to the threat cluster UAC-0245 involving a backdoor named CABINETRAT. The attack vector uses malicious Microsoft Excel XLL add-ins, which are custom Excel extensions, distributed within ZIP archives shared via the Signal messaging app. These ZIP files are disguised as documents concerning individuals detained at the Ukrainian border, leveraging social engineering to entice victims to open them. Once the XLL add-in is executed, it drops several files on the victim’s machine: an executable placed in the Startup folder to ensure persistence, an XLL file named "BasicExcelMath.xll" in the Excel startup directory, and a PNG image named "Office.png". The malware modifies Windows Registry keys to maintain persistence and launches Excel in hidden mode with the embedded XLL add-in. The XLL add-in extracts shellcode from the PNG file, which is the CABINETRAT backdoor payload. CABINETRAT, written in C, provides extensive capabilities including system information gathering, installed program enumeration, screenshot capture, directory listing, file deletion, command execution, and file upload/download. It communicates with its command and control server over TCP. The malware incorporates anti-analysis and anti-virtualization techniques, such as checking for minimum CPU cores, RAM, and the presence of virtualization software like VMware, VirtualBox, and Hyper-V, to evade sandbox detection. Although no known exploits are reported in the wild beyond Ukraine, the use of common tools like Excel add-ins and Signal for distribution indicates a sophisticated, stealthy approach targeting specific victims. This campaign follows other recent Ukraine-targeted attacks involving phishing and malware delivery, highlighting ongoing cyber threats in the region.

For European organizations, especially those with business, governmental, or humanitarian links to Ukraine, this threat poses a risk of targeted espionage and data theft. CABINETRAT’s capabilities to gather system information, capture screenshots, and exfiltrate files can lead to significant confidentiality breaches. The malware’s ability to delete files and execute arbitrary commands also threatens system integrity and availability. The use of legitimate applications (Excel and Signal) for delivery increases the likelihood of successful infection, as these tools are widely used across Europe. While the current campaign appears low in scale and sophistication relative to more destructive malware, the stealth and persistence mechanisms could enable prolonged undetected access, facilitating espionage or preparation for future disruptive operations. European organizations involved in critical infrastructure, government, defense, or those supporting Ukrainian interests should be particularly vigilant. The threat could also serve as a template for similar attacks targeting other regions.

European organizations should implement advanced email and messaging filtering to detect and block suspicious ZIP archives, especially those containing XLL files. Endpoint protection solutions must be configured to monitor and alert on unusual Excel add-in activity, particularly the creation of executables in startup folders and modifications to Excel startup directories and Windows Registry keys. Behavioral detection should focus on hidden launches of Excel with embedded add-ins and the presence of unusual PNG files potentially carrying shellcode. Network monitoring should be enhanced to detect anomalous TCP connections to unknown external servers. Organizations should enforce strict application whitelisting policies to prevent unauthorized executables from running at startup. User awareness training should emphasize the risks of opening unexpected attachments or links in messaging apps like Signal, especially those purporting to relate to sensitive geopolitical topics. Regular audits of installed Excel add-ins and startup folder contents can help identify persistence mechanisms. Finally, organizations should maintain up-to-date threat intelligence feeds and collaborate with CERTs to stay informed about evolving tactics used by threat actors like UAC-0245.