Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • New VERMIN malicious software used In Ukraine
  • Malware

New VERMIN malicious software used In Ukraine

Do Son February 1, 2018 3 minutes read
VERMIN malicious
Add Daily CyberSecurity as a preferred source on Google

Unit 42 threat research team at Palo Alto Networks discovered a net espionage activity that has been going on for two years and is targeting Ukraine. Hackers mainly used two types of malware during the event: Quasar Rat and VERMIN.

Quasar RAT is an open source malware family, a remote access tool. Earlier they have been used in a number of attacks, including cybercrime and cyber espionage.

VERMIN is an emerging malware family relative to the Quasar RAT. It was written using the Microsoft .NET Framework, and most of it is the source code, which means it is by no means a branch of any malware family.

It collects keystrokes and clipboard data from infected systems, removes, uploads and downloads files renames files and folders, and captures audio and video.

VERMIN is distributed via an attachment to a phishing email, which is usually an SFX file (a self-extracting file) that contains a decoy document and looks like a formal order from the Ministry of Defense of Ukraine. Malware is infected when the victim is on.

The researchers also found that VERMIN also rarely used the Simple Object Access Protocol (SOAP) for HTTP encapsulation, an XML-based protocol for exchanging structured information for command and control (C2) Software samples are uncommon.

After further investigation, the researchers quickly uncovered more Vermin samples and unveiled a larger network of command and control (C2) infrastructures.

Many samples did not even choose to use bait files. Instead, they contain only the payload and an icon disguised as a document viewer (such as Microsoft Word).

After initial execution, Vermin checks whether the victim’s system is configured with Russian as the input language for the installation. If not set to Russian, Vermin will perform API calls and decrypt embedded resources containing the main code for communication and remote control functions. This virtually revealed that hackers seem to want to exclude those who use Russian but will not attack them.

Depending on the actual variable name used by Vermin, it gathers the following information: device name, username, operating system version, architecture (32-bit and 64-bit), local IP address, and whether anti-virus software is running. Vermin do not install keyloggers if antivirus software is detected.

Palo Alto Networks said they were unable to pinpoint the hacker’s specific goals or what data was stolen. However, from the thematic orientation of bait files and the situation of the victims, Vermin does appear to be used to launch targeted attacks on Ukraine.

Related coverage

  • Check Point Research: Emotet Trojan reappear
  • Unpatched Vulnerabilities: Ransomware’s Favorite Entry Point
  • North Korean Cyber Espionage Group Tenacious Pungsan Compromises Open-Source Repositories with Backdoored npm Packages
  • Hadooken & K4Spreader Malware: 8220 Gang’s Latest Cloud Hijacking Tools
  • Phishing Scam Alert: McAfee Uncovers a New Android Campaign Impersonating a Government Solar Program
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: VERMIN malicious

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
  • CVE-2026-8481CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.