Cyber Espionage Group Uses Fake Romance Schemes to Target Russian Military Personnel Through Telegram Malware Campaign

MOSCOW — Cybersecurity researchers have identified a previously undocumented cyber espionage operation targeting Russian military personnel through fake romantic relationships, social engineering tactics, spyware deployments, and Telegram account compromise campaigns.

According to researchers at Russian cybersecurity firm F6, the threat group, designated SiribClone, has been active since at least summer 2025 and has primarily targeted members of the Russian armed forces stationed near border regions and combat zones.

Researchers believe the operation is designed to collect military intelligence and operational information by compromising smartphones, computers, and messaging accounts used by military personnel.

The campaign allegedly relied on attackers posing as women seeking romantic relationships or volunteers offering humanitarian assistance. After establishing trust through Telegram and other messaging platforms, victims were reportedly persuaded to download malicious applications or provide credentials through fraudulent websites.

Researchers identified previously undocumented Android spyware dubbed SafeLoveStealer, which is capable of stealing photographs, videos, documents, geolocation data, and other information stored on infected devices. Investigators also reported that the malware can remotely activate a device’s microphone and record conversations.

The operation additionally utilized phishing infrastructure disguised as Telegram login portals, community invitations, medical testing websites, and other legitimate-looking services. Victims who entered authentication information allegedly provided attackers with access to Telegram accounts, verification codes, and two-factor authentication credentials.

Researchers also discovered a previously undocumented desktop malware strain called SiribGrabber, which was distributed through ZIP archives disguised as military-related documents and designed primarily to steal files from infected systems.

Activity linked to the campaign was observed between January and February before reappearing in May through malware distributed on websites themed around Russia’s Victory Day celebrations.

Investigators further identified an internal management platform known as Kontur, which reportedly stored stolen Telegram sessions and allowed operators to review intercepted communications. Internal references allegedly included military ranks, unit designations, locations, and operational status information.

Cybersecurity experts continue warning that modern espionage operations increasingly blend traditional intelligence tradecraft with cyber intrusion techniques. Rather than relying exclusively on software vulnerabilities, threat actors often leverage social engineering, impersonation, trust-building, and psychological manipulation to gain access to sensitive information.

According to researchers, the campaign appears focused on two primary objectives: collecting technical, geographic, and personal information from targeted devices and maintaining long-term access to Telegram accounts used by military personnel.

Researchers have not publicly attributed the operation to any specific nation-state, intelligence service, or previously identified threat actor.

The investigation remains ongoing as analysts continue examining the malware, infrastructure, and operational methods associated with the SiribClone espionage campaign.

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE