Ukraine’s national cyber incident response team, CERT-UA, has issued an urgent warning about a new malware campaign that weaponizes Excel add-in (XLL) files to deploy the CABINETRAT backdoor.
Throughout September 2025, CERT-UA analysts discovered multiple malicious XLL files masquerading as benign documents, including “Звернення УБД.xll” and “recept_ruslana_nekitenko.xll,” which exploit Excel’s Add-in Manager and the xlAutoOpen export function to gain execution on targeted systems.
The operation has since expanded beyond email lures. Intelligence shared through Signal revealed that attackers distributed a ZIP archive named “500.zip” under the guise of a document detailing arrests at Ukraine’s border.
Inside this archive was “dodatok.xll,” a malicious add-in which, when loaded, drops several payloads onto the victim’s machine. These include:
- A randomly named executable (internally called “runner.exe”) placed in both
%APPDATA%MicrosoftOfficeand the user’s Startup folder. - A loader XLL file named “BasicExcelMath.xll” (internal name “loader.xll”) installed in
%APPDATA%MicrosoftExcelXLSTART. - A PNG image “Office.png” containing the CABINETRAT shellcode.
To ensure persistence, the malware creates a random registry key in HKCU...Run and schedules an hourly task under a random name that runs the dropped executable with limited privileges.
It also verifies the Excel path via HKLM...App PathsEXCEL.EXE, and clears entries in the DisabledItems registry branches for Office versions 14.0, 15.0, and 16.0.
When the victim launches Excel with the /e (embed) parameter, the “BasicExcelMath.xll” file auto-loads without displaying a new workbook.
It reads “Office.png,” locates and decrypts the embedded shellcode, and then invokes it using VirtualProtect and CreateThread. CERT-UA analysts confirmed the shellcode as the CABINETRAT backdoor, a full-featured malware written in C that supports information gathering, command execution, file operations, screenshot capture, and TCP communication.
CABINETRAT’s network protocol resembles port knocking: it attempts connections on ports 18700, 42831, 20046, and 33976 before establishing a TCP channel.
Once connected, it exchanges INIT packets (“Ninja”/“Bonjour”), compresses data using MSZIP via the Windows Compression API, and fragments payloads exceeding 65,535 bytes.
Its packet types support remote program execution, command output exfiltration, file transfer, BIOS GUID reporting, registry and disk enumeration, installed programs listing, directory listing, screenshot capture, error reporting, and file deletion.
To avoid detection and hinder analysis, all XLL components and the shellcode implement robust anti-VM and anti-analysis checks.
They verify the absence of wine_get_unix_file_name in kernel32.dll, inspect BIOS tables for virtualization vendors (“VMware,” “VirtualBox,” “QEMU,” etc.), enumerate display devices for hypervisor artifacts, check for at least two CPU cores and 3 GB of RAM, perform repeated CPUID execution time measurements via RDTSC, ensure the current user’s SID does not end with “500,” and test the debug flag in the Process Environment Block (PEB). Strings and code are obfuscated with 32-bit index tables referencing hidden data arrays.
Given the novelty of these tactics and techniques—and considering past XLL-based attacks by the UAC-0002 threat group targeting Ukrainian critical infrastructure CERT-UA has assigned a new identifier, UAC-0245, to track this campaign.
Indicators of compromise include dozens of SHA-256 hashes for malicious XLL, EXE, PNG, and ZIP files, as well as registry keys, scheduled task names, file paths under %APPDATA% and %LOCALAPPDATA%, and the IP addresses 20[.]112.250.113 and 20[.]70.246.20 on ports 443 and 433.
Organizations and individuals are urged to block or closely monitor Excel add-in loading, inspect suspicious ZIP attachments, and apply network rules to restrict outbound traffic to the noted IP addresses.
Regularly updating endpoint security solutions to detect CABINETRAT signatures and enabling macro-execution restrictions within Office applications are also recommended as critical defenses against this evolving threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
