A suspected Russian espionage group, tracked by Google’s Threat Analysis Group (TAG) and Mandiant as UNC5812, is leveraging the popular messaging platform Telegram to deliver malware targeting the Ukrainian military. Operating under the guise of a channel named “Civil Defense,” which was created on September 10, 2024, the group claims to provide free software programs aimed at helping potential conscripts locate and share crowdsourced information about military recruiters. However, the true intent behind this operation is to distribute malicious applications designed to compromise both Windows and Android devices.
Upon closer inspection, users who interact with the Civil Defense channel are led to download a malicious APK, specifically crafted to bypass Google Play Protect. This APK, identified by the package name “com.http.masters,” deploys a notorious remote access trojan known as CraxsRAT. Once installed, CraxsRAT grants the attackers extensive control over the victim’s device, enabling functionalities such as keylogging, screen and camera recording, and remote device management. This level of access poses significant risks, allowing the group to gather sensitive information from targeted individuals within the military.
For Windows users, the malware delivery process involves a ZIP archive that contains a newly discovered PHP-based malware loader called Pronsis. This loader is utilized to distribute additional malicious payloads, including an off-the-shelf data stealer known as PureStealer, which is marketed for prices ranging from $150 for a monthly subscription to $699 for a lifetime license. Additionally, a decoy mapping application named SUNSPINNER is deployed, displaying purported locations of military recruiters based on information from the group’s command-and-control server, further misleading victims.
Beyond merely compromising devices, UNC5812’s campaign serves a dual purpose of psychological warfare and disinformation. The group actively disseminates narratives aimed at undermining support for Ukraine’s mobilization and military recruitment efforts, utilizing messaging apps as a critical vector for malware delivery. This approach exemplifies the evolving tactics of cyber espionage, highlighting the significant role of social media and messaging platforms in contemporary warfare. As this conflict continues to unfold, the potential for cyberattacks to disrupt not only military operations but also societal cohesion remains a pressing concern.
