In September 2024, Google’s Threat Analysis Group and Mandiant discovered a suspected Russian espionage and influence operation called UNC5812. This operation used malware for Windows and Android, distributed through a Telegram profile called “Civil Defense.”
This profile claimed to offer free software so potential recruits could view and share locations of Ukrainian military recruiters. However, when these programs were installed, malware specific to the user’s operating system was downloaded.
Aimed at users on Telegram
UNC5812 also engaged in influence activities, promoting narratives to undermine support for Ukraine’s mobilization efforts. They used a Telegram channel and a website to distribute the malware and spread anti-mobilization content. The campaign became fully operational in September 2024, and they were observed purchasing promoted posts on legitimate Ukrainian-language Telegram channels to attract more victims.
The ultimate goal was for victims to download programs from the “Civil Defense” website, resulting in the installation of different malware families. For Windows users, it downloaded a malware loader known as Pronsis Loader, while for Android users, it attempted to install a variant of the CRAXSRAT backdoor. Additionally, the website contained justifications for delivering APKs outside of the App Store and guides for disabling Google Play Protect.
Influence Operation Against Mobilization
In parallel, UNC5812 also sought to discredit Ukraine’s mobilization efforts, asking users to upload videos of unfair actions by recruitment centers. This content was used to reinforce anti-mobilization narratives and discredit the Ukrainian military.
A new investigation by Google Threat Intelligence uncovers a Russian operation aimed at Ukraine
UNC5812 uses two different malware delivery chains for Windows and Android devices, distributed from its civildefense(.)com(.)ua website. Both chains include the delivery of a decoy mapping application called SUNSPINNER, which displays locations of Ukrainian military recruits from a server controlled by the attackers.
For Windows, the downloaded malware is a customized version of Pronsis Loader, which retrieves both the SUNSPINNER decoy binary and a second-stage downloader, “civildefensestarter.exe.” This process culminates in the execution of PURESTEALER, an infostealer designed to steal browser data, cryptocurrency wallets, and data from email and messaging applications.
For Android, the downloaded APK file is a variant of the CRAXSRAT backdoor, which enables file, SMS, contact, and credential management, plus location, audio, and keystroke monitoring capabilities. This APK also includes the SUNSPINNER decoy application and requests permissions to install additional packages, downloading the CRAXSRAT payload if permissions are granted.
Malware Analysis
UNC5812 uses two different malware delivery chains for Windows and Android devices, distributed from its civildefense(.)com(.)ua website. Both chains include the delivery of a decoy mapping application called SUNSPINNER, which displays locations of Ukrainian military recruits from a server controlled by the attackers.
For Windows, the downloaded malware is a customized version of Pronsis Loader, which retrieves both the SUNSPINNER decoy binary and a second-stage downloader, “civildefensestarter.exe.” This process culminates in the execution of PURESTEALER, an infostealer designed to steal browser data, cryptocurrency wallets, and data from email and messaging applications.
For Android, the downloaded APK file is a variant of the CRAXSRAT backdoor, which enables file, SMS, contact, and credential management, plus location, audio, and keystroke monitoring capabilities. This APK also includes the SUNSPINNER decoy application and requests permissions to install additional packages, downloading the CRAXSRAT payload if permissions are granted.