{
	"id": "da5639a0-9936-4110-8959-b861a42ec5ac",
	"created_at": "2026-04-06T00:08:03.304585Z",
	"updated_at": "2026-04-10T13:11:47.794677Z",
	"deleted_at": null,
	"sha1_hash": "f7aa6ab1c5f0c699e10b98535e53aa364a360a0e",
	"title": "A deep dive down the Vermin RAThole",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 403183,
	"plain_text": "A deep dive down the Vermin RAThole\r\nBy Kaspars Osis\r\nArchived: 2026-04-05 18:55:20 UTC\r\nESET Research\r\nESET researchers have analyzed remote access tools cybercriminals have been using in an ongoing espionage\r\ncampaign to systematically spy on Ukrainian government institutions and exfiltrate data from their systems\r\n17 Jul 2018  •  , 3 min. read\r\nIn this blogpost, we will sum up the findings published in full in our white paper “Quasar, Sobaken and Vermin: A\r\ndeeper look into an ongoing espionage campaign”.\r\nThe attackers behind the campaign have been tracked by ESET since mid-2017; their activities were first publicly\r\nreported in January 2018. Our analysis shows that these cybercriminals continue to improve their campaigns by\r\ndeveloping new versions of their espionage tools.\r\nAccording to ESET’s telemetry, the attacks have been targeted at Ukrainian government institutions, with a few\r\nhundred victims in different organizations. Attackers have been using stealthy remote access tools (RATs) to\r\nexfiltrate sensitive documents from the victims’ computers.\r\nhttps://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/\r\nPage 1 of 3\n\nWe have detected three different strains of .NET malware in these campaigns: Quasar RAT, Sobaken RAT, and a\r\ncustom-made RAT called Vermin. All three malware strains have been in active use against different targets at the\r\nsame time, they share parts of their infrastructure and connect to the same C\u0026C servers.\r\nQuasar is an open-source RAT, which is freely available on GitHub. We were able to trace campaigns by these\r\nthreat actors using Quasar RAT binaries back to October 2015.\r\nSobaken is a heavily modified version of the Quasar RAT. Some functionality was removed to make the\r\nexecutable smaller, and several anti-sandbox, and other evasion, tricks were added.\r\nVermin is a custom-made backdoor. It first appeared in mid-2016 and is still in use at the time of writing. Just like\r\nQuasar and Sobaken, it is written in .NET. To slow down analysis, the program code is protected using\r\ncommercial .NET code protection system, .NET Reactor, or open-source protector ConfuserEx.\r\nVermin is a full-featured backdoor with several optional components. Its latest known version supports 24\r\ncommands, implemented in the main payload, and several additional commands implemented via optional\r\ncomponents, including audio recording, keylogging and password stealing.\r\nThe analyzed campaigns have been based on basic social engineering, but also using several tricks to better lure\r\nthe victims into downloading and executing the malware, served as email attachments. Among these tricks are\r\nusing right-to-left override to obscure the attachments’ real extension, email attachments disguised as RAR self-extracting archives, and a combination of a specially crafted Word document carrying a CVE-2017-0199 exploit.\r\nAll three malware strains are installed in the same way: a dropper drops a malicious payload file (Vermin, Quasar\r\nor Sobaken malware) into the %APPDATA% folder, into a subfolder named after a legitimate company (usually\r\nhttps://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/\r\nPage 2 of 3\n\nAdobe, Intel or Microsoft). Then, it creates a scheduled task that runs the payload every 10 minutes to ensure its\r\npersistence.\r\nTo make sure that the malware runs on targeted machines only and avoids automated analysis systems and\r\nsandboxes, the attackers have deployed several measures. The malware terminates if neither Russian or Ukrainian\r\nkeyboard layouts are installed, and also if the target system’s IP address is located outside these two countries, or\r\nis registered to one of several selected antimalware vendors or cloud providers. The malware also refuses to run\r\non computers with usernames typical of automated malware analysis systems. To determine whether it is run in an\r\nautomated analysis system, it tries to reach a randomly generated website name/URL and checks if the connection\r\nto the URL fails, as would be expected on a real system.\r\nThese attackers haven’t received much public attention compared to others who target high-profile organizations\r\nin Ukraine. However, they have proved that with clever social engineering tricks, cyber-espionage attacks can\r\nsucceed even without using sophisticated malware. This underscores the need for training staff in cybersecurity\r\nawareness, on top of having a quality security solution in place.\r\nESET detection names and other Indicators of Compromise for the mentioned campaigns can be found in the full\r\nwhite paper: Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/\r\nhttps://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/"
	],
	"report_names": [
		"deep-dive-vermin-rathole"
	],
	"threat_actors": [
		{
			"id": "31da1b1f-743b-40ef-bd17-1e07c5500392",
			"created_at": "2024-06-19T02:00:04.382822Z",
			"updated_at": "2026-04-10T02:00:03.655982Z",
			"deleted_at": null,
			"main_name": "UAC-0020",
			"aliases": [
				"SickSync",
				"Vermin"
			],
			"source_name": "MISPGALAXY:UAC-0020",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434083,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7aa6ab1c5f0c699e10b98535e53aa364a360a0e.pdf",
		"text": "https://archive.orkl.eu/f7aa6ab1c5f0c699e10b98535e53aa364a360a0e.txt",
		"img": "https://archive.orkl.eu/f7aa6ab1c5f0c699e10b98535e53aa364a360a0e.jpg"
	}
}