A recent Russia-linked cyber campaign, led by the group known as UNC5812, targeted Ukrainian men of draft age using malware in a broader strategy to disrupt Ukraine’s military recruitment. Running from September to mid-October, this campaign delivered information-stealing malware under the guise of “free software” that allowed users to view and share locations of military recruiters, according to a report by Google.
Once downloaded, the software deployed malware variants for Windows and Android, with decoy apps like Sunspinner masking the malicious code. For Windows users, the attackers installed Pronsis Loader to download PureStealer malware, capable of harvesting browser data, cryptocurrency wallets, and other app information. For Android devices, a variant of CraxsRAT was used, giving attackers access to credentials, location tracking, audio recording, and keystrokes.
UNC5812 took extensive measures to increase infection rates, including purchasing ads in legitimate Ukrainian-language Telegram channels. They even released instructional videos guiding users on how to disable Google Play Protect to bypass security and grant full permissions to the malware.
Influence Operations and Anti-Mobilization Narratives
Beyond device compromise, the campaign included influence activities designed to discredit Ukraine’s military and undermine mobilization efforts. UNC5812’s Civil Defense Telegram channel urged subscribers to share footage of “unfair” recruitment practices. In one case, a video from the group’s channel was reposted by the Russian Embassy on South Africa’s X (formerly Twitter) account, amplifying the propaganda.
UNC5812’s website, flagged as dangerous by Google, hosts Ukrainian-language content alleging unjust mobilization and promoting anti-military messaging. Google noted that this campaign aligns with increased activity from Russian threat actors following Ukraine’s 2024 mobilization law updates.
The Role of Messaging Apps in Cyber Warfare
Google warned that messaging apps, particularly Telegram, remain crucial for malware distribution and influence campaigns in the Ukraine-Russia conflict. The report concludes, “As long as Telegram remains a critical source of information during the war, it will almost certainly continue to serve as a primary vector for cyber-enabled activity by various Russian-linked espionage and influence actors.”
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
