CERT-UA Warns of UAC-0245 Targeting Ukraine with CABINETRAT Backdoor via Malicious Excel XLL Add-ins

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning regarding a cyberattack campaign conducted by the threat group UAC-0245. The campaign, observed in September 2025, involves the use of malicious Excel XLL add-ins to deliver the CABINETRAT backdoor. The malicious add-ins are disguised as legitimate tools, with filenames such as "UBD Request.xll" and "recept_ruslana_nekitenko.xll". This attack vector exploits the functionality of Excel XLL add-ins, which are dynamic link libraries that extend Excel's capabilities. By tricking users into enabling these malicious add-ins, attackers can execute arbitrary code with the same privileges as the user, leading to potential system compromise. The CABINETRAT backdoor provides remote access to the attackers, allowing them to exfiltrate data, execute commands, and maintain persistence on the compromised system. This campaign underscores the ongoing cyber threats faced by Ukraine, particularly from state-sponsored or politically motivated threat actors. The use of Excel XLL add-ins as a delivery mechanism highlights the need for organizations to monitor and restrict the use of such files, implement robust endpoint detection and response solutions, and conduct regular security awareness training. The impact on the cybersecurity landscape is significant, as it demonstrates the continued evolution of attack techniques and the importance of vigilance in detecting and mitigating such threats. However, the reported date of September 2025 is unusual and may require verification.