Suspected Russia-linked espionage group UNC5812 targets Ukraine’s military with Windows and Android malware via Telegram.
Google TAG and Mandiant observed a Russia-linked group, tracked as UNC5812, targeting Ukraine’s military with Windows and Android malware via the Telegram channel “Civil Defense.”
The Telegram channel was created on September 10, 2024 and at this time has 189 subscribers. The group also delivered the malware through the website civildefense[.]com.ua
that was registered in April 2024.
Civil Defense” poses as a provider of free software programs that allow potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters. The apps are designed infect Android devices with malware if Google Play Protect is disabled.
“If installed with Google Play Protect disabled, these programs deliver an operating system-specific commodity malware variant to the victim alongside a decoy mapping application we track as SUNSPINNER.” reads the report published by Google.
The group UNC5812 also coordinated influence campaigns to spread narratives and solicit content aimed at weakening the support for Ukraine’s mobilization and military recruitment efforts.
UNC5812 is likely purchasing promoted posts in established Ukrainian-language Telegram channels to direct potential victims to their resources. On September 18, 2024, a missile alert channel with over 80,000 subscribers promoted the “Civil Defense” Telegram channel. Another news channel continued to promote Civil Defense posts as recently as October 8, suggesting an ongoing effort to engage more Ukrainian-language communities. These channels also offer sponsorship opportunities, indicating UNC5812’s approach to expanding its reach.
The threat actors use the Civil Defense website to distribute multiple software programs that, once installed, download different malware families. The site provides a downloader called Pronsis Loader to Windows users, this malware starts an attack chain, ultimately installing SUNSPINNER and the PURESTEALER information stealer. For Android users, a malicious APK installs a variant of the CRAXSRAT backdoor, sometimes bundled with SUNSPINNER. Although the site claims to support macOS and iPhones, only Windows and Android payloads were available during the analysis.
The experts noticed that Civil Defense website employs social engineering tactics to trick users into installing APK outside the App Store. Its FAQ claims this approach protects user anonymity and security, directing victims to video instructions. These videos guide users on disabling Google Play Protect, which checks for harmful app functionalities, and instruct them to manually enable all permissions after the malware installation.
“UNC5812’s campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia’s war in Ukraine.” concludes the report that also provided indicators of compromise for this campaign. “We judge that as long as Telegram continues to be a critical source of information during the war, it is almost certain to remain a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, UNC5812)