Russian Hackers Targeting Ukrainian Military with Malware for Windows and Android

01.11.2024

 

Hackers are increasingly exploiting Telegram’s user-friendly file-sharing features and security vulnerabilities for distributing malware. With its large, anonymous user base, Telegram has become an appealing platform for illicit cyber activities. In particular, a recent report from Google’s Threat Intelligence Group has revealed a Russian cyber operation targeting the Ukrainian military, leveraging Telegram channels to deploy malware to users.

In September 2024, Google’s Threat Intelligence Group, which includes TAG and Mandiant, uncovered an advanced Russian cyber campaign, codenamed UNC5812. This operation involved a deceptive Telegram channel, “@civildefense_com_ua,” and a fake website, “civildefense[.]com.ua,” that posed as a service tracking Ukrainian military recruiters. Instead of delivering legitimate software, the platform distributed malware targeting both Windows and Android devices.

For Windows users, the operation used Pronsis Loader, a malicious downloader written in PHP and compiled into JVM bytecode via JPHP, which installed two types of malware: SUNSPINNER, a decoy mapping app, and PURESTEALER, an information-stealing tool. Android users were targeted with CRAXSRAT, a commercial backdoor that required disabling Google Play Protect to install. Both malware variants infiltrated devices through promoted posts on legitimate Ukrainian Telegram channels, including a widely followed missile alert channel, where they remained active until at least October 2024.

UNC5812’s multi-stage strategy included social engineering tactics, convincing users to disable security features and grant permissions. The operation also featured an influence campaign, inviting users to submit videos of “unfair actions” by recruitment centers, fueling anti-mobilization sentiments. This content was further disseminated across pro-Russian social media, amplifying its reach.

The campaign’s technical sophistication highlights its intent as part of a larger cyber-espionage effort, aimed at Ukrainian military recruitment efforts amid recent mobilization law changes. By targeting Ukrainian defense infrastructure through platforms like Telegram, this operation underscores the increasing convergence of cyber-espionage and influence tactics in geopolitical conflicts.

en_USEnglish