A Russian-aligned group named UNC5812 has been observed delivering a blend of Windows and Android malware, targeting the Ukrainian military. The campaign, tracked by Google’s Threat Analysis Group (TAG) and cybersecurity firm Mandiant, uses the Telegram persona “Civil Defense” to distribute malware and disseminate anti-mobilization narratives.
UNC5812 operates a Telegram channel named ‘civildefense_com_ua’, created on September 10, 2024, which has garnered 184 subscribers. Additionally, it manages a website, civildefense.com[.]ua, registered on April 24, 2024. Both the Telegram channel and website purport to offer free software allowing Ukrainian conscripts to locate and report recruitment center activities. However, when downloaded, the apps deliver malware specifically designed for Windows and Android operating systems, including the Sunspinner decoy mapping application.
The malicious apps exploit Google Play Protect's disabled state to bypass security checks and deploy malware. On Windows, victims are presented with Pronsis Loader, a PHP-based downloader built with the JPHP project, which ultimately delivers Sunspinner along with an info-stealer called Purestealer. Android users who download the advertised APK file are at risk of installing Craxsrat, a commercially available backdoor, sometimes paired with Sunspinner.
While the website also claims to support macOS and iPhones, only Windows and Android payloads were available for download at the time of investigation. The site employs unusual social engineering tactics to justify its off-App Store APK distribution and the extensive permissions Craxsrat requires.
UNC5812 also uses influence tactics to undermine support for Ukraine's military mobilization. The group solicits content highlighting alleged misconduct at military recruitment centers, likely aiming to amplify dissent and distrust in Ukraine’s mobilization efforts.
According to the report, UNC5812 has also purchased promotions in legitimate, high-traffic Ukrainian Telegram channels. In one instance, a missile alert channel with over 80,000 subscribers promoted the “Civil Defense” Telegram channel and website. Additional Ukrainian-language channels continued to promote Civil Defense content as recently as October 8, 2024, indicating the operation remains active and focused on expanding its audience, the researchers warned.