MalwareRansomwareUsed by 1 actorExploits 1 CVE

DEAFTICK

DEAFTICK is a primitive backdoor written in Go, observed by CERT-UA in phishing campaigns tracked as UAC-0252 targeting Ukraine during January-February 2026. In the reporting, it is also described as a surveillance module deployed alongside SHADOWSNIFF and SALATSTEALER. The campaigns used emails impersonating Ukrainian central executive authorities and regional administrations, urging recipients to update widely used civilian and military mobile applications. Delivery occurred either through attached archives containing EXE files or through links to legitimate websites vulnerable to XSS that executed JavaScript and downloaded an executable; the EXE payloads and scripts were hosted on GitHub resources. CERT-UA associated the activity with individuals discussed on the Telegram channel “PalachPro.” Known DEAFTICK file indicators include Diia_Update_4.7.1_Official.exe (MD5: e457cb42ca5a6ecd8b99d89ed2958b29, SHA-256: b5e685e57c625032ec067be94a2854cce1b7c5a51e8d6bd833841a893d5d88b7), EdgeUpdate.exe (MD5: f3dc1e16cde2995f701c8db509f351c9, SHA-256: e5941df780ae251bcafad3b833f45ee44bd1599ab45b7adf1f1c79510930642d), and build.exe (MD5: dcc2c9a08044e8b3e445f17461d054f1, SHA-256: 7b35b332a999d56d65241a4f35bbce2e9ad2644a84c09f7dbae42e39cd559bcf). Reported network indicators include http://150.241.64.21:8888/client/addclient, http://95.85.224.14:8000/client/addclient, and https://nfkavn.bond/client/addclient. Host-based indicators in the campaign include commands to hide %TMP%\svchost.exe, add a Microsoft Defender exclusion for that file, and create a Run key persistence value named WindowsUpdateService pointing to %TMP%\svchost.exe.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2025-8088WinRAR Windows ADS Path Traversal Arbitrary Code ExecutionExploited in the wild

UAC-0252 Campaign (Jan--Feb 2026) SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252 ... Initial vector: CVE-2025-8088 (WinRAR path traversal) distributed via the PalachPro Telegram channel. | SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252: DEAFTICK -- surveillance module

via breakglass intelintel.breakglass.tech

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAC-0252

SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252: DEAFTICK -- surveillance module

via breakglass intelintel.breakglass.tech

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques

T1189Drive-by CompromiseEvidence1

TacticInitial Access

“...a link to a legitimate website that is vulnerable to XSS (Cross-site scripting), which, when visited, will execute JavaScript code and download the executable file…”

T1566PhishingEvidence1

TacticInitial Access

CERT-UA фіксує ... розповсюдження електронних листів ... із закликом оновити мобільні застосунки... Електронний лист може містити вкладення ... EXE-файл, або ж посилання на легітимний, проте вразливий до XSS ...

T1566.001Spearphishing AttachmentEvidence1

TacticInitial Access

Електронний лист може містити вкладення у вигляді архіву, у якому знаходиться EXE-файл

T1566.002Spearphishing LinkEvidence1

TacticInitial Access

...або ж посилання на легітимний, проте вразливий до XSS ... вебсайт, відвідування якого призведе до виконання JavaScript-коду та подальшого завантаження ... виконуваного файлу

Execution

2 techniques

T1059.001PowerShellEvidence1

TacticExecution

powershell -Command "Add-MpPreference -ExclusionPath '%TMP%\svchost.exe'"

T1203Exploitation for Client ExecutionEvidence1

TacticExecution

...архів із експлойтом для уразливості WinRAR (CVE-2025-8088)

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

TacticsPersistence Privilege Escalation

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdateService /t REG_SZ /d %TMP%\svchost.exe /f

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

TacticsPersistence Privilege Escalation

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdateService /t REG_SZ /d %TMP%\svchost.exe /f

Stealth

1 technique

T1564.001Hidden Files and DirectoriesEvidence1

TacticStealth

attrib +h +s %TMP%\svchost.exe

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence1

TacticCommand and Control

hXXp://150[.]241.64.21:8888/client/addclient; hXXps://nfkavn[.]bond/client/addclient; hXXps://salat[.]cn/sa1at/ ...

T1105Ingress Tool TransferEvidence2

TacticCommand and Control

“The EXE files and scripts are hosted on the legitimate GitHub service.”

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

powershell -Command "Add-MpPreference -ExclusionPath '%TMP%\svchost.exe'"

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

breakglass intelNews

Mar 15, 2026

SalatStealer's New Trick: Using TON Blockchain DNS to Make C2 Takedowns Impossible - Breakglass Intelligence - Breakglass Intelligence

A surveillance module used alongside SalatStealer in the UAC-0252 campaign targeting Ukraine.

ctoatncsc substackNews

Mar 7, 2026

CTO at NCSC Summary: week ending March 8th

A primitive Go-based backdoor referenced as used in the CERT-UA-described activity.

cert uaNews

Mar 2, 2026

CERT-UA

Примітивний бекдор, написаний на Go, який маскується під легітимні оновлення (наприклад, EdgeUpdate.exe / Diia_Update_4.7.1_Official.exe) та встановлює персистентність через ключ Run у HKCU.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.