The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about new phishing attacks designed to infect devices with malware. These attacks have been attributed to a threat group tracked by CERT-UA as UAC-0020, also known as Vermin. The full extent of the attacks remains unclear.
The attack begins with phishing emails that feature photos of purported prisoners of war (PoWs) from the Kursk region, enticing recipients to click on a link that leads to a ZIP archive.
Inside the ZIP file is a Microsoft Compiled HTML Help (CHM) file containing JavaScript code, which triggers an obfuscated PowerShell script when opened.
CERT-UA explained that opening the file installs components of the known spyware SPECTR, along with a new malware called FIRMACHAGENT. FIRMACHAGENT is designed to retrieve data stolen by SPECTR and transmit it to a remote server.
SPECTR, which has been linked to Vermin since 2019, is believed to be associated with security agencies of the Luhansk People’s Republic (LPR). In June, CERT-UA highlighted another campaign by the Vermin group, named SickSync, which targeted the country’s defense forces with SPECTR.
SPECTR is a powerful tool capable of stealing a wide range of information, including files, screenshots, credentials, and data from instant messaging apps like Element, Signal, Skype, and Telegram.
 has issued a warning about new phishing attacks designed to infect devices with malware. These attacks have been attributed to a threat group tracked by CERT-UA as UAC-0020, also known as Vermin. The full extent of the attacks remains unclear.){kind=link}