A Russian cyberespionage and influence campaign has been targeting military recruits in Ukraine to undermine the country’s mobilization efforts, Google reports.
As part of the hybrid activity, tracked as UNC5812, a Telegram persona named Civil Defense has been distributing allegedly free software for locating Ukrainian military recruiters, but which turns out to be platform-specific malware instead.
On Android devices without Google Play Protect enabled, the software would install commodity malware and a decoy mapping application. Google has observed the Android backdoor CraxsRat and the SunSpinner malware being delivered to victims.
CraxsRat contains typical Android backdoor functionality, such as file and SMS management, contact and credential theft, and the ability to monitor keystrokes, device location, and audio input.
A decoy application written with the Flutter framework, SunSpinner can display the crowdsourced location of Ukrainian military recruiters. While it offers an option to add new markers, all the markers in the application’s JSON file were added on the same day, suggesting they are not genuine user inputs.
Windows users were served the Pronsis Loader malware downloader, which launches a sophisticated infection chain leading to SunSpinner and the PureStealer information stealer.
Written in .NET, PureStealer was designed to exfiltrate browser data such as passwords and cookies, along with cryptocurrency wallets and data from other applications, including messaging and email clients.
The malware, Google says, is being distributed both via the Telegram channel and via an associated website. The domain was registered in April 2024, but the channel was created in September, suggesting that the campaign became fully operational only last month.
The internet giant believes that UNC5812 has been purchasing promoted posts on legitimate Ukrainian-language Telegram channels, with at least two of them seen promoting Civil Defense in September and October, including an established channel with over 80,000 subscribers.
“The ultimate aim of the campaign is to have victims navigate to the UNC5812-controlled ‘Civil Defense’ website, which advertises several different software programs for different operating systems,” Google explains.
The Civil Defense website claims that the Android application is being distributed outside Google Play to protect user anonymity and security. It also provides instructions on how users can disable Google Play Protect and to manually enable all permissions once the malware has been installed.
In addition to distributing malware, the Civil Defense Telegram channel also engages in influence activities, requesting visitors and users to upload videos likely meant to discredit the Ukrainian military and promote anti-mobilization narratives.
“The Civil Defense website is also interspersed with Ukrainian-language anti-mobilization imagery and content, including a dedicated news section to highlight purported cases of unjust mobilization practices,” Google says.
The internet giant has notified Ukraine’s national authorities of Civil Defense’s operation, blocked resolution of the website nationally, and added the identified domains and files to Safe Browsing.
“We have seen the targeting of potential military recruits rise in prominence following the launch of Ukraine’s national digital military ID used to manage the details of those liable for military service and boost recruitment. Consistent with research from EUvsDisinfo, we also continue to observe persistent efforts by pro-Russia influence actors to promote messaging undermining Ukraine’s mobilization drive,” Google notes.
Related: Cybercriminals Are Increasingly Helping Russia and China Target the US and Allies, Microsoft Says
Related: Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group
Related: Poland’s Cybersecurity Experts Foil Russian and Belarussian Attacks
Related: Meta Disables Russian Propaganda Network Targeting Europe
