CABINETRAT Backdoor
Infosec researchers have has published an alert about a targeted campaign observed in September 2025 that installs a C-language backdoor tracked as CABINETRAT. According to the Computer Emergency Response Team of Ukraine (CERT‑UA), the activity is attributed to a tracked cluster (UAC‑0245) after the analysts discovered weaponized Microsoft Excel add‑ins (XLL files) used in the attack chain.
Table of Contents
ZIP Files And A Fake Police Document
According to the reports, attackers packaged the malicious XLLs inside ZIP archives and distributed them over the Signal messaging app, posing as a document related to detentions at the Ukrainian border. When a victim extracts and opens the XLL, the drop sequence begins.
What The Dropper Creates
Several files are being generated on the compromised systems, including:
- an EXE placed into the Windows Startup folder
- an XLL named BasicExcelMath.xll in %APPDATA%\Microsoft\Excel\XLSTART\
- a PNG named Office.png that actually carries embedded shellcode
These files are created on the host as part of persistence and payload-staging.
How The Payload Is Activated
The implanted XLL configures Registry entries to ensure the EXE runs on startup, then launches Excel (excel.exe) with the /e (embed) switch in hidden mode so the add‑in loads silently. The loaded XLL extracts shellcode concealed inside the accompanying PNG image; that shellcode is the CABINETRAT implant. Microsoft's guidance notes that untrusted XLL add‑ins are commonly abused by threat actors, and modern Excel versions block untrusted XLLs by default — but social engineering and user approval can still let them run.
Anti-analyses And Sandbox Measures
Both the XLL loader and the in‑memory shellcode perform anti‑VM and anti‑analysis checks. Examples observed in the samples include verifying there are at least two CPU cores, checking for a minimum of ~3 GB of RAM, and hunting for virtualization or analysis artifacts (VMware, VirtualBox, Xen, QEMU, Parallels, Hyper‑V). These checks are intended to abort or change behavior in lab/sandbox environments and reduce the likelihood of detection.
CABINETRAT’s Malicious Capabilities
CABINETRAT is a full backdoor written in C. Its documented capabilities include: system enumeration (OS and hardware info), listing installed applications, taking screenshots, enumerating directories, removing specified files or folders, executing arbitrary commands, and uploading/downloading files. Network communications occur over a TCP channel to remote Command‑and‑Control (C2) infrastructure, allowing operators to interact with infected hosts.
Similar Campaigns Against Ukraine
This disclosure comes on the heels of other highly targeted campaigns against Ukrainian entities. Researchers recently reported a separate fileless phishing operation that impersonated the National Police of Ukraine and delivered payloads such as Amatera Stealer (data theft) and PureMiner (cryptomining), illustrating that multiple vectors and malware families are being used in parallel against organizations in the region.
Monitor, Siolate, Remediate
Given the active, targeted nature of this campaign and the operators' anti‑analysis tactics, defenders should assume any suspicious Signal‑delivered archive containing Office add‑ins is potentially malicious. Prioritize containment of suspected hosts, collect volatile artifacts (process lists, memory, network connections), and share confirmed indicators with CERT‑UA or your local CSIRT to help map and disrupt the actor's operations.
