UAC-0252 Attack Detection: SHADOWSNIFF and SALATSTEALER Fuel Phishing Campaigns in Ukraine - SOC Prime

Since January 2026, CERT-UA has been tracking a series of intrusions attributed to UAC-0252 and built around SHADOWSNIFF and SALATSTEALER infostealers. The campaigns rely on well-crafted phishing lures, payload staging on legitimate infrastructure, and user-driven execution of disguised EXE files. Detect UAC-0252 Attacks Covered in CERT-UA#20032 According to the Phishing Trends Q2 2025 research by Check Point, phishing remains a core tool for cybercriminals, and the impersonation of widely trusted, high-usage brands continues to rise. Against the backdrop of more coordinated and sophisticated operations aimed at critical infrastructure and government organizations, CISA published its 2025–2026 International Strategic Plan to advance global risk reduction and improve collective resilience. Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0252 attacks. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies. EXPLORE DETECTIONS Security experts can also use the “CERT-UA#20032” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes. For more rules to detect adversary-related attacks, cyber defenders can search the Threat Detection Marketplace library using the “UAC-0252” tag. SOC Prime users can also rely on Uncoder AI to create detections from raw threat reports, document and optimize rule code, and generate Attack Flows in a couple of clicks. By leveraging threat intel from the latest CERT-UA alert, teams can easily convert IOCs into performance-optimized queries ready to hunt in the chosen SIEM or EDR environment. Analyzing UAC-0252 Attacks Using SHADOWSNIFF and SALATSTEALER Since January 2026, CERT-UA has been tracking repeated phishing campaigns targeting entities in Ukraine. The email messages are crafted to impersonate central government bodies or regional administrations and typically urge recipients to update mobile apps used in widely deployed civilian and military systems. CERT-UA#20032 alert describes two common delivery paths. In the first one, the email includes an attached archive that contains an EXE file. The attacker relies on the recipient to open the archive and run the executable. In the second one, the email contains a link to a legitimate website that is vulnerable to cross-site scripting (XSS). When the victim visits the page, the injected JavaScript runs in the browser and downloads an executable file onto the computer. In both scenarios, CERT-UA notes that the EXE files and scripts are hosted on the legitimate GitHub service, which helps the activity blend into normal web traffic and makes basic domain blocking less effective in many environments. During January and February 2026, CERT-UA confirmed that the activity used several malicious tools, including SHADOWSNIFF, SALATSTEALER, and DEAFTICK.  SHADOWSNIFF was reported as being hosted on GitHub, while SALATSTEALER is commonly described as a Go-based infostealer that targets browser credentials, steals active sessions, and collects crypto-related data, operating under a Malware-as-a-Service (MaaS) model. In the same toolset, CERT-UA also reported DEAFTICK, a primitive backdoor written in Go that likely helps attackers maintain basic access on compromised hosts and support follow-on actions. During repository analysis, CERT-UA reports discovering a program with characteristics of a ransomware encryptor, internally named «AVANGARD ULTIMATE v6.0». The same GitHub ecosystem also contained an archive with an exploit for WinRAR (CVE-2025-8088), a path traversal issue in Windows WinRAR that can enable arbitrary code execution via crafted archives and has been reported as exploited in the wild. This suggests the operators were not only stealing credentials, but also experimenting with additional tooling that could expand impact. Based on the investigation details and the tooling overlaps, including experiments with publicly available instruments, CERT-UA links the described activity to individuals discussed in the «PalachPro» Telegram channel, while continuing to track the campaign under UAC-0252. MITRE ATT&CK Context Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0252 phishing campaigns targeting Ukrainian entities. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques. TACTICS TECHNIQUES SIGMA RULES Initial Access Phishing: Spearphishing Attachment (T1566) Suspicious Extracted Files from an Archive (via file_event) Execution from RAR Archive [WinRAR] (via process_creation) Execution Exploitation for Client Execution (T1203) Execution from RAR Archive [WinRAR] (via process_creation) Possible CVE-2025-8088 / CVE-2025-6218 (WinRAR Vulnerability) Exploitation Attempt (via file_event) User Execution: Malicious File (T1204.002) Execution from RAR Archive [WinRAR] (via process_creation) Persistence Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) Possible Persistence Points [ASEPs - Software/NTUSER Hive] (via registry_event) Possible Persistence Points [ASEPs - Software/NTUSER Hive] (via cmdline) Defense Evasion Masquerading: Masquerade Task or Service (T1036.004) Suspicious Svchost Processes (via process_creation) Masquerading: Match Legitimate Resource Name or Location (T1036.005) Abnormal System Process Chain (via process_creation) Process Injection: Process Hollowing (T1055.012) Abnormal System Process Chain (via process_creation) Impair Defenses: Disable or Modify Tools (T1562.001) Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline) Hide Artifacts: Hidden Files and Directories (T1564.001) Attrib Execution to Hide Files (via cmdline) Hide Artifacts: File/Path Exclusions (T1564.012) Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline) Risky Microsoft Defender Exclusions Added (via cmdline) Command and Control Application Layer Protocol: Web Protocols (T1071.001) Suspicious File Download Direct IP (via proxy) Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)