Russian Hackers Target Ukraine’s Military with Malware via Telegram

UNC5812, a Russian-linked group, is using a Telegram persona “Civil Defense” to distribute Windows and Android malware disguised as a crowdsourced map app. 

The malware, delivered via compromised apps on Google Play, aims to steal sensitive information and conduct surveillance on potential Ukrainian recruits. The group is also actively spreading disinformation and propaganda to undermine Ukrainian morale.

It uses a Telegram channel (@civildefense_com_ua) and a website (civildefense.com.ua) launched in September 2024 to deliver malware and likely purchase ads in Ukrainian Telegram channels to lure victims to their malicious resources. 

UNC5812’s “Civil Defense” persona

UNC5812 likely leveraged sponsorship opportunities to promote the “Civil Defense” Telegram channel and website on legitimate missile alert channels, aiming to expand its reach within the Ukrainian-speaking community. 

The campaign lures victims to a malicious website, which serves a PHP-based downloader compiled into JVM bytecode, which triggers a complex infection chain, culminating in the deployment of SUNSPINNER and PURESTEALER, compromising victim systems. 

The malicious Android APK installs CRAXSRAT, a backdoor, potentially with SUNSPINNER, a spyware component. While the Civil Defense website claims support for macOS and iOS, only Windows and Android exploits were found. 

Download page, translated from Ukrainian

The Ukrainian Civil Defense website employs social engineering tactics to trick users into installing the CRAXSRAT malware, where the website misleads users about the app’s origin and necessity to disable security features, ultimately compromising their device’s security.

While its Telegram channel is used to collect videos of alleged misconduct by Ukrainian recruitment centers, which are then likely disseminated to promote anti-mobilization narratives and discredit the Ukrainian military.

The Civil Defense website contains Ukrainian anti-mobilization content, including news about unjust mobilization practices, which is often shared from pro-Russian social media and even reposted by the Russian Embassy.

Screenshots of video instructions to turn off Google Play Protect and manually enable CRAXSRAT permissions

According to Google, UNC5812 delivers Windows and Android malware via its civildefense[.]com[.]ua website, alongside the decoy SUNSPINNER mapping app, to mask malicious payload installation.

SUNSPINNER, a Flutter-based decoy GUI application, masquerades as a crowd-sourced map of Ukrainian military recruiters, which fetches and displays map markers from a C2 infrastructure, misleading users into believing they are contributing to real-world efforts. 

Decoy application for monitoring the locations of Ukrainian military recruitment staff

The Civil Defense website delivered a Pronsis Loader, a malware dropper, which downloaded and executed a PHP-based second-stage downloader, which in turn installed PURESTEALER, a .NET-based information stealer, to exfiltrate sensitive data from victim devices.

The “Civil Defense.apk” file distributed by the Civil Defense website is a disguised CRAXSRAT backdoor capable of stealing sensitive data like contacts, messages, and location information, which also has the potential to control the infected device remotely.

UNC5812, a Russian threat actor, is targeting potential Ukrainian military recruits using hybrid espionage and information operations, leveraging Telegram as a primary vector for malware delivery and influence operations to undermine Ukraine’s mobilization efforts and sow public distrust. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here