Russian threat actors are targeting the devices of Ukrainian military recruits in a malware campaign delivered via Telegram, a new analysis by Google has found.
The group, tracked as UNC5812, is a suspected Russian hybrid espionage and influence operation. In the new campaign, discovered in September 2024, the attackers attempt to deliver Windows and Android malware to the Ukrainian military recruits using a Telegram persona named “Civil Defense.”
The purpose is to gain access to recruits’ devices to steal sensitive information.
Google’s Threat Analysis Group (TAG) said the campaign is part of a growing trend of Russia targeting potential Ukraine military recruits, following the launch of Ukraine’s digital military ID used to manage the details of those liable for military service and boost recruitment.
Read now: Russian Hackers Target Ukrainian Servicemen via Messaging Apps
Ukrainian Recruits Targeted with Malware
UNC5812’s malware delivery operations are conducted both via an actor-controlled Telegram channel @civildefense_com_ua and website hosted at civildefense[.]com.ua. The website was registered in April 2024, but the Telegram channel was not created until early September 2024, which is when Google judged the new campaign to be fully operational.
“Civil Defense” claims to be a provider of free software programs that enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters.
It appears that UNC5812 is purchasing promoted posts in legitimate, established Ukrainian-language Telegram channels to drive engagement with the Civil Defense Telegram channel and website.
The campaign was first observed on September 18 2024, when a legitimate Telegram channel with over 80,000 subscribers dedicated to missile alerts promoted the Civil Defense Telegram channel.
A separate Ukrainian-language news channel was observed promoting Civil Defense’s posts as recently as October 8, suggesting the campaign is still actively seeking new Ukrainian-language communities for targeted engagement.
The campaign aims to entice victims to enter the Civil Defense website, which advertises several different software programs for different operating systems.
When these programs are installed, various commodity malware devices are downloaded to the victim devices:
- For Windows users, the website delivers the Pronsis Loader downloader, written in PHP, which is compiled into Java Virtual machine (JVM) bytecode using the open source JPHP project. Upon execution Pronsis Loader delivers a decoy mapping application called SUNSPINNER, which displays to users a map that renders purported locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server and a commodity information stealer known as PURESTEALER
- For Android users, a malicious Android Package (APK) file attempts to install a variant of the commercially available Android backdoor CRAXSRAT. Different versions of this payload were observed, including a variant containing SUNSPINNER in addition to the CRAXSRAT payload. CRAXSRAT contains various functionality, including file management, SMS management, contact and credential harvesting, and a series of monitoring capabilities for location, audio and keystrokes
The Civil Defense website also attempts to pre-empt user suspicions about the app being outside the App store and entices them to disable protections against harmful activity.
This includes a privacy and security justification for the Android application being outside the app store and guidance on how to disable Google Play Protect.
Anti-Mobilization Influence Operation Via Telegram
In parallel to the malware campaign, Google said that UNC5812 is undertaking influence activity to undermine Ukraine’s wider mobilization and military recruitment efforts.
The group’s Telegram channel actively solicits visitors and subscribers to upload videos of “unfair actions from territorial recruitment centers” – content likely intended to reinforce UNC5812’s anti-mobilization narratives and discredit the Ukrainian military.
The Civil Defense website is also interspersed with Ukrainian-language anti-mobilization imagery and content, including a dedicated news section to highlight purported cases of unjust mobilization practices.
Google expects Telegram to continue to be a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity given its role as a critical source of information for the Russia-Ukraine war.
“From a tradecraft perspective, UNC5812’s campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia’s war in Ukraine,” the firm noted.
Image credit: Nikita Burdenkov / Shutterstock.com