A hybrid espionage/influence campaign conducted by the Russian threat group ‘UNC5812’ has been uncovered, targeting Ukrainian military recruits with Windows and Android malware.
According to Google’s threat intelligence, the campaign impersonated a “Civil Defense” persona along with a website and dedicated Telegram channel to distribute malware through a fake recruitment avoidance app dubbed “Sunspinner” by the researchers.
The campaign targets Windows and Android devices using distinct malware for each platform, giving the attackers data theft and real-time spying capabilities.
Google has implemented protections to block the malicious activity, but the operation highlights Russia’s continued use and extensive capabilities in the cyber-warfare space.
Fake “Civil Defense” persona
UNC5812’s persona does not attempt to impersonate Ukraine’s Civil Defense or any government agencies but is instead promoted as a legitimate Ukraine-friendly organization that provides Ukrainian conscripts with helpful software tools and advice.
The persona uses a Telegram channel and a website to engage potential victims and deliver narratives against Ukraine’s recruitment and mobilization efforts, aiming to stir distrust and resistance among the population.
When Google discovered the campaign on September 18, 2024, the “Civil Defense” channel on Telegram had 80,000 members.
Source: Google
Users tricked into visiting Civil Defense’s website are taken to a download page for a malicious application promoted as a crowd-sourced mapping tool that can help users track the locations of recruiters, and avoid them.
Google calls this app “Sunspinner, and although the app features a map with markers, Google says the data is fabricated. The app’s only purpose is to hide the installation of malware that takes place in the background.
Source: Google
Dropping Windows and Android malware.
The fake apps offers Windows and Android downloads, and promises to add iOS and macOS soon, so Apple platforms are not supported yet.
The Windows download installs Pronsis Loader, a malware loader that fetches additional malicious payloads from UNC5812’s server, including the commodity info-stealer ‘PureStealer.’
PureStealer targets information stored in web browsers, like account passwords, cookies, cryptocurrency wallet details, email clients, and messaging app data.
On Android, the downloaded APK file drops CraxsRAT, also a commercially available backdoor.
CraxsRAT allows the attackers to track the victim’s location in real time, log their keystrokes, activate audio recordings, retrieve contact lists, access SMS messages, exfiltrate files, and harvest credentials.
To perform these malicious activities undeterred, the app tricks users into disabling Google Play Protect, Android’s in-built anti-malware tool, and manually grant it risky permissions.
Source: Google
Google updated Google Play protections to detect and block the Android malware early and also added the domains and files associated with the campaign to its ‘Safe Browsing’ feature on Chrome.
The complete list of indicators of compromise associated with the latest UNC5812 campaign is available here.
Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here
Hanes Men's EcoSmart Fleece Hoodie Sweatshirt
$16.33 (as of February 4, 2025 20:03 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Daily Bible Verse Bracelet Scan NFC, Scripture Bracelets Scan Phone For Prayer, Wearable Jesus Faith Wristbands, Christian Devotional God Band For Men, Women (God Is Greater Than The Highs And Lows)
$14.99 (as of February 5, 2025 19:27 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Stanley Quencher H2.0 FlowState Stainless Steel Vacuum Insulated Tumbler with Lid and Straw for Water, Iced Tea or Coffee, Smoothie and More, Rose Quartz 2.0, 30 OZ / 0.89 L
$35.00 (as of February 4, 2025 20:03 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Sereney 10th Birthday Gifts for Girl Sterling Silver Pink Pearl Necklace as Gifts for 10 Year Old, Adjustable Length 10 Birthday Ideas for Teens Trendy 2025
$15.99 (as of February 4, 2025 20:03 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
