UAC-0020

UAC-0020, also known as Vermin, is a Russian-aligned cyber espionage threat actor assessed by CERT-UA as associated with security/law-enforcement agencies in the Russian-occupied Luhansk region (self-proclaimed Luhansk People’s Republic) and described as part of Russia’s cyber warfare activity against Ukraine. The group has been active since at least 2015 and has a history of targeting Ukrainian government/state bodies and, more recently, Ukrainian defense forces/Armed Forces of Ukraine. In 2024 the group resurfaced with the “SickSync” campaign (CERT-UA alert CERT-UA#9934), targeting Ukrainian defense forces/public sector agencies. Initial access is via spear-phishing emails delivering password-protected RAR/RAR SFX archives containing a decoy PDF, a BAT script, and a trojanized SyncThing-based executable/installer (e.g., “sync.exe”) that bundles legitimate SyncThing components with the SPECTR malware. SPECTR (used by the group since at least 2019 and also observed in March 2022) is an information-stealing toolkit with modules for screenshot capture (including frequent capture), file theft and USB data collection (including use of robocopy.exe), and credential/data theft from browsers and messaging applications (explicitly including Element, Signal, Skype, and Telegram). Collected data is staged under %APPDATA%\sync\Slave_Sync\ and exfiltrated by abusing SyncThing’s legitimate peer-to-peer synchronization functionality; the actor also modifies SyncThing components (e.g., directory names, scheduled tasks, disabling user notifications) to reduce user visibility and hinder detection.