SHADOWSNIFF
ShadowSniff is an information-stealing malware/credential harvester used in campaigns tracked as UAC-0252. Public reporting states it was used during January-February 2026 in phishing operations impersonating Ukrainian central executive authorities and regional administrations, with targeting focused on Ukrainian government institutions and organizations in Ukraine. It has been delivered alongside SalatStealer and DEAFTICK, and CERT-UA described SHADOWSNIFF as a GitHub-hosted stealer.
Observed infection vectors in the reporting include phishing emails carrying archives with malicious executables, links to legitimate but XSS-vulnerable websites that trigger JavaScript and download executables, and delivery through a WinRAR exploit for CVE-2025-8088. The threat actors also abused GitHub to host payloads and scripts. Infrastructure tied to the campaign was reported on Beget LLC hosting.
Associated activity is tracked as UAC-0252 by CERT-UA; reporting links the activity to individuals discussed on the Telegram channel "PalachPro." Broadcom/Symantec and CERT-UA both reported the malware in campaigns impersonating Ukrainian institutions. ShadowSniff was repeatedly observed deployed together with SalatStealer, a MaaS infostealer, while DEAFTICK served as a Go-based backdoor in the same intrusion set.
Known file indicators directly associated with ShadowSniff in the provided content are updateV3.23.exe with MD5 2591d145ff510f7fc4d6290d3bfcb130 and SHA-256 3abf295b79992532b03261a81643124d134fa7e86fb901b3bfc74ad0f192dc7f, and updateV3.23.exe with MD5 b6480aa6c364715a21ba28c4d26a5b6e and SHA-256 c2a4212573d7566acf5b610b4ce3598237acd37459670daa1b6950f107d50e03. Campaign-level network indicators in the same reporting include hXXp://150[.]241.64.21:8888/client/addclient, hXXp://95[.]85.224.14:8000/client/addclient, and hXXps://nfkavn[.]bond/client/addclient. Reported host-based indicators for the broader activity include hiding %TMP%\svchost.exe, adding a Microsoft Defender exclusion for it, and creating a Run key persistence value named WindowsUpdateService pointing to %TMP%\svchost.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252: SHADOWSNIFF -- secondary credential stealer | UAC-0252 Campaign (Jan--Feb 2026) SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252 ... Initial vector: CVE-2025-8088 (WinRAR path traversal) distributed via the PalachPro Telegram channel.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group's arsenal includes an infostealer named SHADOWSNIFF, a Malware-as-a-Service (MaaS) variant called SALATSTEALER, and DEAFTICK, a Go-based backdoor strain.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
They either deliver a compressed archive containing a malicious executable file directly, or they provide a link to a compromised website.
CERT-UA identified a malicious campaign (dubbed UAC-0252) impersonating national executive authorities and regional government officials to deceive the victims.
Execution
2 techniques
Execution
Stealth
1 technique
Stealth
Credential Access
1 technique
Credential Access
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
Over a three-month window from January 1 to April 1, 2026, more than 1,250 active command-and-control (C2) servers were detected across 165 Russian infrastructure providers.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as malware delivered in UAC-0252 activity alongside SalatStealer.
Credential-harvesting malware/tool delivered alongside Salat Stealer in UAC-0252 activity.
An infostealer deployed in the UAC-0252 campaign impersonating Ukrainian government institutions and exploiting a WinRAR vulnerability.
A secondary credential stealer used alongside SalatStealer in the UAC-0252 campaign targeting Ukraine.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.