Threat Research

Russian Espionage Campaign Targets Ukrainian Military Recruits with Anti-Mobilization Messages

GoogleCloudIntel

Google Threat Intelligence Group uncovered UNC5812, a suspected Russian hybrid espionage and influence operation that uses a Telegram persona “Civil Defense” to distribute Windows and Android malware and target Ukrainian military recruitment. The campaign blends malware delivery with anti-mobilization messaging via Telegram and a Civil Defense website to undermine Ukraine’s mobilization and public trust.

Keypoints

  • UNC5812 is linked to Russian hybrid espionage and influence operations.
  • The operation uses a Telegram persona called “Civil Defense” to distribute malware.
  • Malware targets Windows and Android devices, delivering SUNSPINNER, CRAXSRAT, and PURESTEALER variants.
  • The campaign combines malware delivery with anti-mobilization narratives to undermine Ukraine’s mobilization efforts.
  • Google blocks identified malicious websites and monitors for spyware; Ukraine authorities blocked the actor-controlled site.

MITRE Techniques

  • [T1071] Web Protocols – Utilizes Telegram for malware delivery and influence operations. “Utilizes Telegram for malware delivery and influence operations.”
  • [T1203] Exploitation for Client Execution – Malware is executed on victim devices via social engineering tactics. “Malware is executed on victim devices via social engineering tactics.”
  • [T1547] Boot or Logon Autostart Execution – Malware maintains persistence on devices through various means, including backdoors. “Malware maintains persistence on devices through various means, including backdoors.”
  • [T1041] Exfiltration – Information stealing capabilities of PURESTEALER and CRAXSRAT. “Information stealing capabilities of PURESTEALER and CRAXSRAT.”
  • [T1499] Impact – Campaign aims to undermine military recruitment and public trust in Ukraine. “Campaign aims to undermine military recruitment and public trust in Ukraine.”

Indicators of Compromise

  • [Domain] UNC5812 landing page – civildefense[.]com[.]ua
  • [URL] UNC5812 Telegram channel – t[.]me/civildefense_com_ua
  • [URL] UNC5812 Telegram account – t[.]me/UAcivildefenseUA
  • [MD5] SUNSPINNER decoy – e98ee33466a270edc47fdd9faf67d82e
  • [Domain] SUNSPINNER resolver – h315225216.nichost[.]ru
  • [Domain] SUNSPINNER decoy host – fu-laravel.onrender[.]com
  • [IP] C2 distribution – 206.71.149[.]194
  • [IP] Open directory for distribution – 185.169.107[.]44
  • [MD5] Pronsis Loader dropper – d36d303d2954cb4309d34c613747ce58
  • [MD5] PURESTEALER – b3cf993d918c2c61c7138b4b8a98b6bf
  • [MD5] CRAXSRAT – 31cdae71f21e1fad7581b5f305a9d185
  • [MD5] CRAXSRAT with SUNSPINNER decoy – aab597cdc5bc02f6c9d0d36ddeb7e624
  • [MD5] Windows payload CivilDefense.exe – 7ef871a86d076dac67c2036d1bb24c39

Read more: https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint