Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 1 CVE

DEAFTICK

DEAFTICK is a primitive Go-based backdoor observed by CERT-UA in phishing campaigns tracked as UAC-0252 targeting Ukraine. Since January 2026, the campaign has impersonated Ukrainian central executive authorities and regional administrations, urging recipients to update widely used civilian and military mobile applications. Delivery has occurred either through attached archives containing malicious EXE files or through links to legitimate but XSS-vulnerable websites that execute JavaScript and download an executable. The operators also abused GitHub to host payloads and scripts.

CERT-UA confirmed DEAFTICK use during January-February 2026 alongside SHADOWSNIFF and SALATSTEALER. Mentioned DEAFTICK samples include Diia_Update_4.7.1_Official.exe, EdgeUpdate.exe, and build.exe. Reported file indicators for DEAFTICK are: Diia_Update_4.7.1_Official.exe MD5 e457cb42ca5a6ecd8b99d89ed2958b29, SHA-256 b5e685e57c625032ec067be94a2854cce1b7c5a51e8d6bd833841a893d5d88b7; EdgeUpdate.exe MD5 f3dc1e16cde2995f701c8db509f351c9, SHA-256 e5941df780ae251bcafad3b833f45ee44bd1599ab45b7adf1f1c79510930642d; build.exe MD5 dcc2c9a08044e8b3e445f17461d054f1, SHA-256 7b35b332a999d56d65241a4f35bbce2e9ad2644a84c09f7dbae42e39cd559bcf.

Associated network indicators in the broader activity include hXXp://150[.]241.64.21:8888/client/addclient, hXXp://95[.]85.224.14:8000/client/addclient, and hXXps://nfkavn[.]bond/client/addclient. Host-based indicators reported with the campaign include commands to hide %TMP%\svchost.exe, add a Microsoft Defender exclusion for that file, and create a Run key persistence value named WindowsUpdateService pointing to %TMP%\svchost.exe. CERT-UA associates the activity with individuals discussed on the Telegram channel "PalachPro."

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsExploited in the wild

UAC-0252 Campaign (Jan--Feb 2026) SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252 ... Initial vector: CVE-2025-8088 (WinRAR path traversal) distributed via the PalachPro Telegram channel. | SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252: DEAFTICK -- surveillance module

via breakglass intelintel.breakglass.tech
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAC-0252

The group's arsenal includes an infostealer named SHADOWSNIFF, a Malware-as-a-Service (MaaS) variant called SALATSTEALER, and DEAFTICK, a Go-based backdoor strain.

via broadcombroadcom.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1584Compromise InfrastructureEvidence1

The threat actors also abuse the GitHub platform to host their payloads and scripts.

Initial Access

4 techniques
T1189Drive-by CompromiseEvidence2

They either deliver a compressed archive containing a malicious executable file directly, or they provide a link to a compromised website.

T1566PhishingEvidence2

CERT-UA identified a malicious campaign (dubbed UAC-0252) impersonating national executive authorities and regional government officials to deceive the victims.

T1566.001Spearphishing AttachmentEvidence1

Електронний лист може містити вкладення у вигляді архіву, у якому знаходиться EXE-файл

T1566.002Spearphishing LinkEvidence1

...або ж посилання на легітимний, проте вразливий до XSS ... вебсайт, відвідування якого призведе до виконання JavaScript-коду та подальшого завантаження ... виконуваного файлу

Execution

3 techniques
T1059.001PowerShellEvidence1

powershell -Command "Add-MpPreference -ExclusionPath '%TMP%\svchost.exe'"

T1203Exploitation for Client ExecutionEvidence1

...архів із експлойтом для уразливості WinRAR (CVE-2025-8088)

T1204.002Malicious FileEvidence1

They either deliver a compressed archive containing a malicious executable file directly, or they provide a link to a compromised website.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdateService /t REG_SZ /d %TMP%\svchost.exe /f

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdateService /t REG_SZ /d %TMP%\svchost.exe /f

Stealth

1 technique
T1564.001Hidden Files and DirectoriesEvidence1

attrib +h +s %TMP%\svchost.exe

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence1

hXXp://150[.]241.64.21:8888/client/addclient; hXXps://nfkavn[.]bond/client/addclient; hXXps://salat[.]cn/sa1at/ ...

T1105Ingress Tool TransferEvidence2

“The EXE files and scripts are hosted on the legitimate GitHub service.”

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

powershell -Command "Add-MpPreference -ExclusionPath '%TMP%\svchost.exe'"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
breakglass intelNews
Mar 15, 2026
SalatStealer's New Trick: Using TON Blockchain DNS to Make C2 Takedowns Impossible - Breakglass Intelligence - Breakglass Intelligence

A surveillance module used alongside SalatStealer in the UAC-0252 campaign targeting Ukraine.

Read more
broadcomNews
Mar 11, 2026
UAC-0252 activity delivering ShadowSniff and SalatStealer malware

A Go-based backdoor strain used by UAC-0252 to provide unauthorized access on compromised systems.

Read more
ctoatncsc substackNews
Mar 7, 2026
CTO at NCSC Summary: week ending March 8th

A primitive Go-based backdoor referenced as used in the CERT-UA-described activity.

Read more
cert uaNews
Mar 2, 2026
CERT-UA

Примітивний бекдор, написаний на Go, який маскується під легітимні оновлення (наприклад, EdgeUpdate.exe / Diia_Update_4.7.1_Official.exe) та встановлює персистентність через ключ Run у HKCU.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.