Kursk offensive’s POW images used in cyberattack


A Russia-linked attacker group has been sharing malicious emails with supposed images of Ukrainian prisoners of war (POWs) from the Kursk offensive, the State Special Communications Service of Ukraine (SSSCIP) has reported.

Emails targeting the Ukrainian side with alleged photos of POWs contain links to downloadable archives, which allegedly contain images of captured soldiers. However, attackers stuffed the archive with SPECTR spyware and FIRMACHAGENT malware, the SSSCIP claims.

Both malicious elements operate in cahoots with each other: SPECTR collects the data and FIRMACHAGENT retrieves and sends the stolen information to a remote server.

The Ukrainian authorities believe that the attacker group UAC-0020 (Vermin) is behind the attack exploiting POWs. SSSCIP claims that the group primarily operates from the city of Luhansk, which was annexed by Russia in 2022.

CERT-UA, Ukraine’s cyber watchdog, suggests restricting users’ permissions to reduce the impact of such attacks. For example, fewer users should have admin level rights. Other ways to mitigate the threat involve setting up policies that prevent from launching .CHM and powershell.exe files.

Ukraine launched an offensive in Russia’s Kursk region on August 6th, taking dozens of Russian settlements. Some experts believe Kyiv’s push into Russia’s mainland could improve Ukraine’s position at the negotiation table as for the first time Ukraine could trade Russian lands for ones occupied by Russia in Ukraine.