Malware Distribution Linked to Anti-Mobilization Efforts Through ‘Civil Defense’ Messaging
Reports indicate that potential recruits for the Ukrainian military are being targeted by malware campaigns intertwined with anti-mobilization messaging, utilizing legitimate Telegram channels as conduits for their efforts. Google’s Threat Intelligence Group identified this operation as a hybrid espionage initiative, attributed to a suspected Russian group known as UNC5812, which operates under the guise of a Telegram persona named “Civil Defense.”
The association of Telegram as a critical information source for Ukrainians is poignant, particularly given the ongoing conflict initiated by Russia. As such, it has become a prime target for the Kremlin’s disinformation and malign influence campaigns. The UNC5812 group has leveraged the Ukrainian-language Telegram channel @civildefense_com_ua and the domain civildefense.com.ua as part of a broader strategy to lure victims, reportedly beginning its operations last month. Analysts from Google explained that the syndicate is likely employing sponsored posts on established Telegram channels to drive engagement to these malicious resources.
One notable instance involved a post that directed users to the Civil Defense website, first registered in April. This September 18th communication claimed to provide free software for various operating systems to assist military recruits in identifying the locations of Ukrainian military recruiters. However, investigations revealed that the website actually distributed malicious installers rather than legitimate software, signaling the onset of a malware attack pipeline.
For Windows users, the site introduced an installer labeled Pronsis Loader, which is designed to facilitate the installation of fraudulent mapping software—dubbed SunSpinner—that misrepresents location information and subsequently deploys a malware known as PureStealer. This infostealer, marketed by a group calling itself the “Pure Coder Team,” is designed to extract sensitive data such as browser cookies and passwords, posing severe risks to users’ online security.
Android users were similarly targeted with a malicious APK named CivilDefensse.apk, attempting to deploy a variant of the Craxs remote-access Trojan. This malicious software grants compromised devices backdoor access, with instances featuring attempts to install the previously mentioned SunSpinner version for Android devices. In response to these security threats, Ukrainian authorities have moved to block access to the Civil Defense website, while Google has incorporated the identified sites and files into its Safe Browsing filter.
The tactics applied here align with the MITRE ATT&CK framework, particularly in the realms of initial access via social engineering and exploitation, as well as persistence through the deployment of malware that enables sustained control over victim devices. The campaign underscores the insidious methods employed by Russian operatives, who manipulate existing social divides—such as recent updates to Ukraine’s mobilization laws—to disseminate anti-mobilization propaganda.
Furthermore, the Kremlin is reportedly vigilant in monitoring Ukrainian media for exploitable narratives that can distract from mobilization efforts, including allegations of corruption and military disputes. The current campaign attributed to UNC5812 epitomizes these tactics, as it not only serves as a vector for malware but also actively participates in spreading narratives designed to diminish public support for Ukrainian military mobilization.
In conclusion, this ongoing threat highlights the continuous and evolving tactics of state-sponsored cyber actors, who combine information warfare with sophisticated cyber-attacks, exploiting societal vulnerabilities amid a fraught geopolitical climate.
