Russian Espionage Group Targets Ukrainian Military with Malware via Telegram

A newly identified cyber espionage and influence operation, referred to as UNC5812, appears to be orchestrated by a suspected Russian group targeting the Ukrainian military. This operation involves the delivery of both Windows and Android malware through a Telegram persona known as Civil Defense, which was established on September 10, 2024. The associated Telegram channel currently has 184 subscribers and is coupled with a website registered in April 2024.

The Civil Defense entity claims to offer free software that helps individuals locate and share information regarding Ukrainian military recruiters, thereby exploiting the recruitment process as a means to distribute malware. According to reports from Google’s Threat Analysis Group (TAG) and Mandiant, these applications are particularly dangerous when installed on Android devices that do not have Google Play Protect enabled, as they facilitate the deployment of commodity malware packaged with a deceptive mapping application named SUNSPINNER.

In addition to the deployment of malware, UNC5812 engages in influence operations aimed at undermining Ukraine’s military recruitment efforts. The group utilizes messaging apps for malware dissemination, reflecting a strategic focus on cognitive influence as part of Russia’s broader cyber strategies in the ongoing conflict. Civil Defense has garnered attention by collaborating with established Ukrainian-language channels to promote its Telegram presence and drive users to its malicious website.

From the website, users are deceived into downloading malware tailored to their operating systems. Windows users unwittingly download a ZIP archive containing a newly discovered PHP-based malware loader, Pronsis, which further instigates the distribution of both SUNSPINNER and PureStealer—stealer malware marketed for various price points. SUNSPINNER itself misleads users by presenting a map purportedly indicating the locations of Ukrainian military recruiters sourced from a command-and-control server controlled by the threat actors.

For Android devices, navigating to the malicious website triggers the installation of a harmful APK file that includes CraxsRAT, a notorious remote access trojan. This particular malware family is equipped with advanced spying capabilities such as keylogging and remote control functions. Moreover, the website offers clear instructions for users to disable Google Play Protect and grant broad permissions to the rogue application, facilitating the malware’s operations without interruption.

The activity of UNC5812 is reported to have evolved from a previous malware project managed by the EVLF group. Following public exposure of their earlier malware in August 2023, EVLF suspended its operations, but not without offloading its Telegram channel to another actor. By May 2024, EVLF reportedly halted further development due to issues with counterfeit versions of their malware, though they hinted at future plans for a new web-based version accessible from any machine.

Despite claims of support for macOS and iPhones on the Civil Defense website, the analysis revealed that no payloads for those systems were available during the investigation. The site’s FAQ attempts to rationalize the absence of the application in official app stores by portraying it as a safeguard for users’ privacy and security, while also guiding them through video instructions to facilitate the installation process of the rogue app.

This operation exemplifies not only the technical sophistication involved in cyber espionage but also the intertwining of malware deployment with psychological warfare, utilizing disinformation to achieve strategic goals in the context of the ongoing conflict in Ukraine.