Growing Trend of Russian Targeting
This incident is part of a growing trend of Russia targeting potential Ukraine military recruits, following the launch of Ukraine’s digital military ID used to manage the details of those liable for military service and boost recruitment. UNC5812’s malware delivery operations are conducted through both an actor-controlled Telegram channel (@civildefense_com_ua) and a website hosted at civildefense[.]com.ua.
Influence Activity
In parallel to the malware campaign, UNC5812 is also undertaking influence activity to undermine Ukraine’s wider mobilization and military recruitment efforts. The group’s Telegram channel actively solicits visitors and subscribers to upload videos of “unfair actions from territorial recruitment centers” – content likely intended to reinforce UNC5812’s anti-mobilization narratives and discredit the Ukrainian military.
Malware Delivery
The Civil Defense website, hosted on a domain registered in April 2024, advertises several different software programs for different operating systems. When these programs are installed, various commodity malware devices are downloaded to the victim devices. For Windows users, the website delivers the Pronsis Loader downloader, which delivers a decoy mapping application called SUNSPINNER. This application displays a map that renders purported locations of Ukrainian military recruits from an actor-controlled command-and-control server and a commodity information stealer known as PURESTEALER.
For Android users, a malicious Android Package (APK) file attempts to install a variant of the commercially available Android backdoor CRAXSRAT. Different versions of this payload were observed, including a variant containing SUNSPINNER in addition to the CRAXSRAT payload. CRAXSRAT contains various functionality, including file management, SMS management, contact and credential harvesting, and monitoring capabilities for location, audio, and keystrokes.
Disabling Protections
The Civil Defense website also attempts to pre-empt user suspicions about the app being outside the App store and entices them to disable protections against harmful activity. This includes a privacy and security justification for the Android application being outside the app store and guidance on how to disable Google Play Protect.
Telegram’s Role in Russian Cyber-Enabled Activity
Google expects Telegram to continue to be a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity, given its role as a critical source of information for the Russia-Ukraine war. From a tradecraft perspective, UNC5812’s campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities.
Conclusion
This incident highlights the importance of vigilance in protecting against cyber threats, particularly those targeting vulnerable populations such as military recruits. It also underscores the critical role that messaging apps play in malware delivery and other cyber dimensions of Russia’s war in Ukraine.