Follow 
Since January 2026, CERT-UA has been tracking a series of intrusions attributed to UAC-0252 and built around SHADOWSNIFF and SALATSTEALER infostealers. The campaigns rely on well-crafted phishing lures, payload staging on legitimate infrastructure, and user-driven execution of disguised EXE files.
Detect UAC-0252 Attacks Covered in CERT-UA#20032
According to the Phishing Trends Q2 2025 research by Check Point, phishing remains a core tool for cybercriminals, and the impersonation of widely trusted, high-usage brands continues to rise. Against the backdrop of more coordinated and sophisticated operations aimed at critical infrastructure and government organizations, CISA published its 2025–2026 International Strategic Plan to advance global risk reduction and improve collective resilience.
Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0252 attacks. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies.
Security experts can also use the “CERT-UA#20032” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes. For more rules to detect adversary-related attacks, cyber defenders can search the Threat Detection Marketplace library using the “UAC-0252” tag.
SOC Prime users can also rely on Uncoder AI to create detections from raw threat reports, document and optimize rule code, and generate Attack Flows in a couple of clicks. By leveraging threat intel from the latest CERT-UA alert, teams can easily convert IOCs into performance-optimized queries ready to hunt in the chosen SIEM or EDR environment.
Analyzing UAC-0252 Attacks Using SHADOWSNIFF and SALATSTEALER
Since January 2026, CERT-UA has been tracking repeated phishing campaigns targeting entities in Ukraine. The email messages are crafted to impersonate central government bodies or regional administrations and typically urge recipients to update mobile apps used in widely deployed civilian and military systems.
CERT-UA#20032 alert describes two common delivery paths. In the first one, the email includes an attached archive that contains an EXE file. The attacker relies on the recipient to open the archive and run the executable. In the second one, the email contains a link to a legitimate website that is vulnerable to cross-site scripting (XSS). When the victim visits the page, the injected JavaScript runs in the browser and downloads an executable file onto the computer. In both scenarios, CERT-UA notes that the EXE files and scripts are hosted on the legitimate GitHub service, which helps the activity blend into normal web traffic and makes basic domain blocking less effective in many environments.
During January and February 2026, CERT-UA confirmed that the activity used several malicious tools, including SHADOWSNIFF, SALATSTEALER, and DEAFTICK.Â
SHADOWSNIFF was reported as being hosted on GitHub, while SALATSTEALER is commonly described as a Go-based infostealer that targets browser credentials, steals active sessions, and collects crypto-related data, operating under a Malware-as-a-Service (MaaS) model. In the same toolset, CERT-UA also reported DEAFTICK, a primitive backdoor written in Go that likely helps attackers maintain basic access on compromised hosts and support follow-on actions.
During repository analysis, CERT-UA reports discovering a program with characteristics of a ransomware encryptor, internally named «AVANGARD ULTIMATE v6.0». The same GitHub ecosystem also contained an archive with an exploit for WinRAR (CVE-2025-8088), a path traversal issue in Windows WinRAR that can enable arbitrary code execution via crafted archives and has been reported as exploited in the wild. This suggests the operators were not only stealing credentials, but also experimenting with additional tooling that could expand impact.
Based on the investigation details and the tooling overlaps, including experiments with publicly available instruments, CERT-UA links the described activity to individuals discussed in the «PalachPro» Telegram channel, while continuing to track the campaign under UAC-0252.
MITRE ATT&CK Context
Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0252 phishing campaigns targeting Ukrainian entities. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques. Tactics Techniques Sigma Rules Initial Access Phishing: Spearphishing Attachment (T1566) Execution Exploitation for Client Execution (T1203) User Execution: Malicious File (T1204.002) Persistence Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) Defense Evasion Masquerading: Masquerade Task or Service (T1036.004) Masquerading: Match Legitimate Resource Name or Location (T1036.005) Process Injection: Process Hollowing (T1055.012) Impair Defenses: Disable or Modify Tools (T1562.001) Hide Artifacts: Hidden Files and Directories (T1564.001) Hide Artifacts: File/Path Exclusions (T1564.012) Command and Control Application Layer Protocol: Web Protocols (T1071.001)
