cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Ukrainian military targeted by info-stealing campaign

Luhansk-based hackers known as Vermin have renewed a malicious cyber campaign after two years of inactivity.

user icon David Hollingworth
Mon, 10 Jun 2024
Ukrainian military targeted by info-stealing campaign
expand image

Ukraine’s computer emergency response team, CERT-UA, has released details of a renewed info-stealing campaign targeting the country’s armed forces.

According to CERT-UA, the threat actor is a group known as Vermin, or UAC-0020, which is directed by members of “law enforcement agencies” in Luhansk, which is currently occupied by Russian armed forces.

Vermin – which has not been observed since 2022 – is currently deploying a malware strain known as Spectr via a phishing campaign.


An initial email is sent to a victim that contains a decoy PDF alongside a legitimate but modified version of the peer-to-peer synchronisation app SyncThing in a password-protected archive. The SyncThing executable is altered to change the names of directories and to not display alerts.

The Spectr malware contains several components that steal data from web browsers, messaging apps such as Telegram and Signal, and a wide range of file types. It also takes screenshots every 10 seconds if the active window displays content in Word, Excel, Office and other widely used applications.

CERT-UA has called the campaign SyncThing and considers the entire operation to be “not-so-successful”.

The Luhansk People’s Republic was declared in 2014 when pro-Russian forces formed a breakaway state in 2014, which was then annexed by Russia in 2022.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.