{
	"id": "12be3bcd-caab-4985-beb8-8d1258a4c5ce",
	"created_at": "2026-04-06T00:15:02.762436Z",
	"updated_at": "2026-04-10T03:31:42.075495Z",
	"deleted_at": null,
	"sha1_hash": "1152e398fc0bd0c1e5e59ac2dcfa73a5b9cc245f",
	"title": "Russia-linked Vermin hackers target Ukrainian military in new espionage campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75434,
	"plain_text": "Russia-linked Vermin hackers target Ukrainian military in new\r\nespionage campaign\r\nBy Daryna Antoniuk\r\nPublished: 2024-06-07 · Archived: 2026-04-02 12:01:32 UTC\r\nA pro-Russian hacker group known as Vermin has resurfaced after two years of inactivity to target Ukraine’s\r\nmilitary in a new espionage operation, according to a recent report.\r\nThe group is reportedly controlled by the law enforcement of the so-called Luhansk People’s Republic (LPR), an\r\nunrecognized quasi-state located in eastern Ukraine which was annexed by Russia in 2022. Vermin hackers are\r\nbelieved to be acting on behalf of the Kremlin.\r\nIn their latest campaign, analyzed by Ukraine’s computer emergency response team (CERT-UA), the group\r\ntargeted Ukraine’s military with the goal of stealing sensitive information from devices.\r\nTo conduct this operation, Vermin used a previously known malware called Spectr and legitimate file-syncing\r\nsoftware called SyncThing. The hackers delivered the tools to victims' computers through phishing emails\r\ncontaining malicious archives protected by passwords.\r\nSpectr is a flexible and adaptable malware that can take screenshots of a victim's screen every 10 seconds, copy\r\nfiles with certain extensions, and steal authentication data from messengers, including Telegram, Signal, and\r\nSkype. It can also steal information from internet browsers like Firefox, Edge and Chrome, including\r\nauthentication and session data, as well as browsing history.\r\nIn March 2022, CERT-UA warned that Vermin had used Spectr to target Ukrainian government infrastructure.\r\nSyncThing was used in the new campaign to exfiltrate stolen documents, files, passwords, and other information\r\nfrom victims' computers to Vermin’s servers, researchers said. The hackers often deploy legitimate tools during\r\ntheir attacks to avoid detection.\r\nEarlier this week, cybersecurity firm Cyble reported that Ukraine’s Ministry of Defence and a military base were\r\nattacked by Belarusian state-sponsored hackers known as Ghostwriter.\r\nOn Tuesday, CERT-UA warned about cyberattacks against Ukrainian military personnel and defense services\r\nusing DarkCrystal malware, which could allow attackers to gain remote access to a victim’s device.\r\nhttps://therecord.media/russian-vermin-hackers-target-ukraine\r\nPage 1 of 2\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/russian-vermin-hackers-target-ukraine\r\nhttps://therecord.media/russian-vermin-hackers-target-ukraine\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://therecord.media/russian-vermin-hackers-target-ukraine"
	],
	"report_names": [
		"russian-vermin-hackers-target-ukraine"
	],
	"threat_actors": [
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "31da1b1f-743b-40ef-bd17-1e07c5500392",
			"created_at": "2024-06-19T02:00:04.382822Z",
			"updated_at": "2026-04-10T02:00:03.655982Z",
			"deleted_at": null,
			"main_name": "UAC-0020",
			"aliases": [
				"SickSync",
				"Vermin"
			],
			"source_name": "MISPGALAXY:UAC-0020",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434502,
	"ts_updated_at": 1775791902,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1152e398fc0bd0c1e5e59ac2dcfa73a5b9cc245f.pdf",
		"text": "https://archive.orkl.eu/1152e398fc0bd0c1e5e59ac2dcfa73a5b9cc245f.txt",
		"img": "https://archive.orkl.eu/1152e398fc0bd0c1e5e59ac2dcfa73a5b9cc245f.jpg"
	}
}