The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a targeted cyber espionage campaign observed in September 2025 that uses malicious Microsoft Excel add-ins (XLL files) to deliver a new backdoor tracked as ‘CABINETRAT.’
CERT-UA attributed the activity to a threat cluster it monitors as UAC-0245. According to the agency, the threat actors distributed the XLL payloads inside ZIP archives shared via the Signal messaging app and disguised as a document about people detained after attempting to cross the Ukrainian border.
When executed, the XLL installer drops multiple files on the victim device, including an executable placed in the Windows Startup folder, an XLL named ‘BasicExcelMath.xll’ into %APPDATA%MicrosoftExcelXLSTART, and a PNG image called ‘Office.png.’ The campaign also makes Windows Registry changes to ensure persistence. The malware then launches excel.exe with the /e (embed) switch in hidden mode so the XLL add-in will load automatically.
The XLL’s primary role is to parse the PNG file and extract embedded shellcode, which CERT-UA identifies as CABINETRAT. Both the XLL and the shellcode include anti-analysis and anti-virtualization checks, such as verifying the host has at least two processor cores and 3 GB of RAM and scanning for hypervisor/tool indicators (VMware, VirtualBox, Xen, QEMU, Parallels, Hyper-V).
CERT-UA says CABINETRAT, a full-featured backdoor written in C, is capable of collecting system information and a list of installed programs, taking screenshots, enumerating directory contents, deleting files or directories, executing commands, and performing file uploads and downloads. Communications with the operator are carried out over a TCP connection.
Last week, Fortinet’s FortiGuard Labs warned about different attacks on Ukraine that impersonated the National Police and used a fileless phishing approach to deliver the Amatera stealer and PureMiner cryptomining payloads.