Ukraine Warns of Targeted Cyberattacks Using CABINETRAT Backdoor Delivered via Excel Add-ins

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about new targeted cyberattacks in the country involving a backdoor named CABINETRAT. These attacks, observed in September 2025, are attributed to a threat group tracked by CERT-UA as UAC-0245. The initial infection vector involves malicious XLL files, which are Excel add-ins capable of executing code when opened. The CABINETRAT backdoor allows attackers to gain remote access to compromised systems, posing significant risks to targeted entities. This campaign highlights the ongoing evolution of threat actor tactics, leveraging legitimate file types to deliver malware. For cybersecurity professionals, this underscores the importance of monitoring and restricting the use of Excel add-ins, as well as implementing robust endpoint detection and response solutions. The use of XLL files as an infection vector serves as a reminder that even seemingly benign file types can be weaponized, necessitating comprehensive security policies and user training programs to mitigate such risks.