UAC-0252 Attack Detection: SHADOWSNIFF and SALATSTEALER Fuel Phishing Campaigns in Ukraine

CERT-UA has tracked UAC-0252 phishing campaigns targeting Ukrainian entities since January 2026 that use well-crafted lures to deliver EXE payloads (via attached archives or XSS on legitimate sites) hosted on GitHub; observed tooling includes SHADOWSNIFF, the SALATSTEALER infostealer, the DEAFTICK backdoor, a discovered ransomware encryptor labeled AVANGARD ULTIMATE v6.0, and use of a WinRAR exploit (CVE-2025-8088), with attribution ties to actors discussed on the PalachPro Telegram channel.