{
	"id": "c6102f23-6a09-467a-a47a-9ccef2543951",
	"created_at": "2026-04-06T00:09:46.611217Z",
	"updated_at": "2026-04-10T03:31:42.088091Z",
	"deleted_at": null,
	"sha1_hash": "b330757e9ad8b1e9024376800c978c3be675aa80",
	"title": "Vermin (UAC-0020) Hacking Collective Hits Ukrainian Government and Military with SPECTR Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 335830,
	"plain_text": "Vermin (UAC-0020) Hacking Collective Hits Ukrainian\r\nGovernment and Military with SPECTR Malware\r\nBy Andrii Bezverkhyi\r\nPublished: 2022-03-21 · Archived: 2026-04-02 11:57:42 UTC\r\nThis article covers the original investigation by CERT-UA: https://cert.gov.ua/article/37815. \r\nOn March 17, 2022, the government emergency response team of Ukraine CERT-UA revealed that the Ukrainian\r\ngovernment infrastructure was hit by a massive spear-phishing campaign aimed at SPECTR malware delivery.\r\nThe campaign was launched by Vermin (UAC-0020) hacking collective associated with the so-called Luhansk\r\nPeople’s Republic (LPR), an unrecognized quasi-state located in the Donbas region of eastern Ukraine. Vermin\r\ncybercriminals are believed to be acting on behalf of the Moscow government and being an operational unit of the\r\nRussian cyber warfare against Ukraine. \r\nVermin (UAC-0020): CERT-UA Research\r\nAccording to the alert by CERT-UA, the LPR-affiliated Vermin collective (UAC-0020) disseminates malicious\r\nemails with the subject “supply” among the state bodies of Ukraine. \r\nSuch emails come with a password-protected RAR archive, dubbed “ДВТПРОВТ.rar,” which contains two\r\nmalicious files.  The files are “4222 ВП МОУ на лист ДВТПРОВТ від 09.03.22 403-5-1324.rtf.lnk” LNK-file\r\nand “4222 ВП МОУ на лист ДВТПРОВТ від 09.03.22 403-5-1324.rtf” EXE file. In case users open the LNK-file, the corresponding EXE-file is executed on the targeted system.\r\nAs a result of a cyber-attack, the compromised computer is exposed to harmful modular software dubbed\r\nSPECTR, which applies a set of malicious components SPECTR.Usb, SPECTR.Shell, SPECTR.Fs,\r\nSPECTR.Info, and SPECTR.Archiver to spread the infection further. \r\nNotably, UA-CERT reports that the most recent Vermin attack leverages the same malicious infrastructure that\r\nwas used by the threat group in July 2019. Moreover, the command-and-control (C\u0026C) server equipment has been\r\nmaintained by the Luhansk provider vServerCo (AS58271) for quite a long period.\r\nhttps://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/\r\nPage 1 of 4\n\nGraphics provided by CERT-UA to illustrate the latest Vermin (UAC-0020) attack against Ukrainian state bodies\r\nGlobal Indicators of Compromise (IOCs)\r\nFiles\r\nbaf502b4b823b6806cc91e2c1dd07613 ДВТПРОВТ.rar\r\n993415425b61183dd3f900d9b81ac57f 4222 ВП МОУ на лист ДВТПРОВТ від 09.03.22 403-5-1324.rtf\r\n1c2c41a5a5f89eccafea6e34183d5db9 4222 ВП МОУ на лист ДВТПРОВТ від 09.03.22 403-5-1324.rtf.lnk\r\nd34dbbd28775b2c3a0b55d86d418f293 data.out\r\n67274bdd5c9537affbd51567f4ba8d5f license.dat (2022-02-25) (SPECTR.Installer)\r\n75e1ce42e0892ed04a43e3b68afdbc07 conhost.exe\r\ne08d7c4daa45beca5079870251e50236 PluginExec.exe (SPECTR.PluginLoader)\r\nadebdc32ef35209fb142d44050928083 Spectator2.exe (SPECTR.Spectator2)\r\n3ed8263abe009c19c4af8706d52060f8 Archiver.dll (2021-04-09) (SPECTR.Archiver)\r\nf0197bbb56465b5e2f1f17876c0da5ba ClientInfo.dll (SPECTR.Info)\r\nd0632ef34514bbb0f675c59e6ecca717 FileSystem.dll (2021-04-09) (SPECTR.Fs)\r\n00a54a6496734d87dab6685aa90588f8 FileTransfer.dll (2021-04-09) (SPECTR.Ft)\r\n5db4313b8dbb9204f8f98f2c129fd734 Manager.dll (SPECTR.Mgr)\r\n32343f2a6b8ac9b6587e2e07989362ab Shell.dll (2021-04-09) (SPECTR.Shell)\r\necc7bb2e4672b958bd82fe9ec9cfab14 Usb.dll (SPECTR.Usb)\r\nNetwork Indicators\r\nhxxp://176[.]119.2.212/web/t/data.out\r\nhxxp://getmod[.]host/DSGb3Y3X\r\nhxxp://getmod[.]host/ThlAHy3S\r\nhxxp://getmod[.]host/OcthdaLm\r\nhttps://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/\r\nPage 2 of 4\n\ngetmod[.]host (2019-07-12)\r\nsyncapp[.]host (2019-07-12)\r\nnetbin[.]host (2019-07-12)\r\nstormpredictor[.]host\r\nmeteolink[.]host\r\n176[.]119.2.212\r\n176[.]119.2.214\r\n176[.]119.5.194\r\n176[.]119.5.195\r\nAS58271\r\nHost Indicators\r\nHKCU\\Software\\Google\\Chrome\\NativeMessagingHosts\\com.microsoft.browsersec\\EncodedProfile\r\nHKCU\\Software\\Google\\Chrome\\NativeMessagingHosts\\com.microsoft.browsercli\\EncodedProfile\r\n%APPDATA%\\Microsoft\\ExcelCnv\\1033\\license.dat\r\n%APPDATA%\\Microsoft\\ExcelCnv\\1033\\conhost.exe\r\nESET_OPINIONS (network variable)\r\nMSO (network variable)\r\nMS Office Add-In Install Task (sheduled task)\r\nTo get actionable threat intelligence based on IOCs above, please refer to this Anomali ThreatStream link:\r\nhttps://ui.threatstream.com/tip/3754010.\r\nSigma Rules to Detect the Latest Vermin (UAC-0020) Attack Against Ukraine\r\nTo protect your organization’s infrastructure against massive spear-phishing attacks and SPECTR malware\r\ninfections linked to the malicious activity of Vermin (UAC-0020) threat actors, SOC Prime has released dedicated\r\nSigma-based rules available in our Detection as Code platform. All detection content associated with the activity\r\nof these threat actors is tagged accordingly with #UAC-0020: \r\nFull list of Sigma-based rules to detect the latest Vermin group’s activity\r\nSOC Prime platform offers a batch of IOC-based Sigma rules to detect the Vermin attack available for registry\r\nevent, file event, image load, and other log sources. Also, the list of detections includes a set of Sigma behavior-based rules to boost your threat hunting capabilities and gain more insights into adversary behavior patterns.\r\nMITRE ATT\u0026CK® Context\r\nTo gain more insights into the context surrounding the latest spear-phishing campaign launched by Vermin\r\nhacking collective, all above mentioned Sigma-based detections are aligned with the MITRE ATT\u0026CK\r\nframework addressing the following tactics and techniques:\r\nDownload JSON file for ATT\u0026CK Navigator\r\nhttps://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/\r\nPage 3 of 4\n\nThe versions applicable for the file above are as follows:\r\nMITRE ATT\u0026CK v10\r\nATT\u0026CK Navigator version: 4.5.5\r\nLayer File Format: 4.3\r\nSource: https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/\r\nhttps://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/"
	],
	"report_names": [
		"vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "31da1b1f-743b-40ef-bd17-1e07c5500392",
			"created_at": "2024-06-19T02:00:04.382822Z",
			"updated_at": "2026-04-10T02:00:03.655982Z",
			"deleted_at": null,
			"main_name": "UAC-0020",
			"aliases": [
				"SickSync",
				"Vermin"
			],
			"source_name": "MISPGALAXY:UAC-0020",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775791902,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b330757e9ad8b1e9024376800c978c3be675aa80.pdf",
		"text": "https://archive.orkl.eu/b330757e9ad8b1e9024376800c978c3be675aa80.txt",
		"img": "https://archive.orkl.eu/b330757e9ad8b1e9024376800c978c3be675aa80.jpg"
	}
}