Russian Hacking Group Uses Telegram Group to Deliver Malware to Ukrainian Recruits, Research Finds

Google's security researchers have identified a new hybrid espionage and influence operation deployed across Ukraine that used both Windows and Android malware in an effort to reveal the location of Ukrainian military recruiters. 

Russia has been hitting Ukraine with almost a daily dose of cyberattacks, ranging from simple DDoS attacks to complex phishing operations looking to compromise the country's energy and telecom infrastructure eventually. But other targets in Ukraine warrant attention from Russia, such as the location of Ukrainian military recruiters.

The attackers, operating under the UNC5812 designation (likely a Russian espionage group), created a Telegram channel named "Civil Defense." The channel's declared aim was to offer free software for Ukrainian military recruits. The real goal was to trick Ukrainian users into installing malware, which differed depending on the platform they used. 

The attackers controlled the "Civil Defense" Telegram channel, along with a website civildefense[.]com.ua. The domain was registered in April 2024, but the Telegram channel arrived much later, in September. 

The new Telegram channel gained traction because the attackers used already-established Ukrainian-language Telegram channels to promote the new one by purchasing posts. 

"The ultimate aim of the campaign is to have victims navigate to the UNC5812-controlled' Civil Defense' website, which advertises several different software programs for different operating systems," Google security researchers explained. 

On Windows, users eventually got infected with two different types of malware: SUNSPINNER and a commodity information stealer known as PURESTEALER. On the other hand, on Android, users were advised to install an APK that would deliver CRAXSRAT, providing a backdoor into the OS. 

Simply tricking users into installing the malware wasn't enough for UNC5812, as their interests also extended to undermining Ukraine's war efforts. 

"UNC5812 is also engaged in influence activity to undermine Ukraine's wider mobilization and military recruitment efforts," Google also explained. "The group's Telegram channel is actively used to solicit visitors and subscribers to upload videos of "unfair actions from territorial recruitment centers," content that we judge likely to be intended for follow-on exposure to reinforce UNC5812's anti-mobilization narratives and discredit the Ukrainian military." 

Google shared its findings with Ukrainian authorities and modified its tools, but it stands to reason that dedicated security solutions should also be installed on Windows and Android devices.