Ukrainian military conscripts have been the victim of a sophisticated campaign of Windows and Android spyware by the Russian-affiliated cyber espionage outfit UNC5812. The malware has been disseminated through a website launched earlier this year and a Telegram channel called “Civil Defense,” both of which are disguised as recruitment avoidance tools. In late 2024, Mandiant and Google’s Threat Analysis Group (TAG) discovered the campaign.
Draft-age Ukrainian men are the main focus of this cyberattack. UNC5812 advertises “free software” that helps users find and steer clear of military recruiters. The “Sunspinner” apps are made to look like crowdsourced tools, but they actually infect victims’ devices with powerful malware.
Google claims that the Android version downloads CraxsRAT, a well-known remote access trojan (RAT) that has features including camera control, keyboard logging, and real-time location monitoring. The PureStealer info-stealer is executed on Windows devices when a malicious ZIP file drops Pronsis Loader, starting a multi-step delivery chain.
No authentic Ukrainian state entity is impersonated by the “Civil Defense” persona. Instead, it disseminates anti-recruitment narratives via a website and Telegram with the goal of sowing doubt about Ukraine’s military endeavors.
In order to trick users, the malware asks them to turn off Google Play Protect, which facilitates the infection process and lowers the possibility of detection. Sensitive information including contacts, SMS, and login passwords are stolen by the Android spyware after it has been deployed. The Windows spyware grabs sensitive data, including wallet information for cryptocurrencies and browsing data.
This campaign is part of a larger Russian agenda to employ cyber weapons for psychological warfare and espionage. The Record pointed out that UNC5812 isn’t limited to malware. Mistrust of the Ukrainian military is further fueled by its influence efforts, which urge Telegram users to post recordings of purported abuses at recruiting sites.
The growing significance of messaging apps like Telegram in the larger cyber aspects of Russia’s conflict against Ukraine was highlighted by Google’s TAG. These platforms will probably continue to be essential to future cyber operations as long as they function as vital information centers during the conflict.
