CABINETRAT

CABINETRAT is a Windows backdoor/RAT, also referred to as Cabinerat, observed in targeted espionage and financially motivated intrusions. High-confidence reporting ties it to September 2025 campaigns attributed by CERT-UA to UAC-0245 targeting Ukrainian organizations, including members of the Ukrainian Officers Union, with lures distributed via Signal. In those campaigns, attackers used malicious Microsoft Excel XLL add-ins, including files such as "UBD Request.xll" and "recept_ruslana_nekitenko.xll," often delivered in an archive named "500.zip" disguised as a border-detention-related document. The XLLs relied on the exported function "xlAutoOpen," dropped persistence components including an EXE in the Windows Startup folder, an XLL such as "BasicExcelMath.xll" under %APPDATA%/Microsoft/Excel/XLSTART/, and a PNG file named "Office.png," then launched Excel hidden with the /e or /embed parameter and extracted CABINETRAT shellcode from the PNG file for execution.

CABINETRAT is described as a C-written shellcode backdoor/full-featured backdoor. Reported capabilities include collecting operating system and installed-program information, system discovery, enumerating directories and logical disks, calculating used disk space, checking administrative privileges via SID S-1-5-32-544 membership, executing commands, handling files, uploading and downloading files, deleting files or directories, and capturing screenshots (for example saving screenshot.jpg). Its command-and-control communications use TCP; CERT-UA reported an initial port-knock-like probing sequence over ports 18700, 42831, 20046, and 33976, message compression with MSZIP, message splitting for large data, and a handshake in which the client sends "Ninja" and the server replies "Bonjour."

Persistence mechanisms directly mentioned in the content include Startup folder placement, Registry Run key persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and scheduled task creation via schtasks.exe. CABINETRAT also queries HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\EXCEL.EXE to locate Excel and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows to inspect values such as AppInit_DLLs and LoadAppInit_DLLs.

The malware includes multiple anti-analysis and defensive-evasion behaviors. Reported checks include requiring at least two CPU cores and at least 3 GB of RAM, checking for virtualization platforms and artifacts including VMware, VirtualBox, Xen, QEMU, Parallels, Hyper-V, and Virtual PC, validating that the user SID does not end with "500," checking the PEB BeingDebugged flag, detecting Wine via Kernel32.dll export inconsistencies, and enumerating display devices for VM-associated artifacts. It also manipulates Microsoft Office resiliency settings by exporting the HKCU\Software\Microsoft\Office hive and deleting Excel DisabledItems entries under versions 16.0, 15.0, and 14.0 to re-enable malicious add-ins.

The content states CABINETRAT is intended to provide stealthy, long-term access and support follow-on actions such as surveillance and data exfiltration. Preferred victims are described as mid-to-large enterprises in sensitive sectors such as government and telecom. Attribution beyond UAC-0245 is unclear in the provided material, though one source notes analysts have flagged possible connections to East Asia-origin tooling and infrastructure.