Russian hybrid espionage and influence campaign (material by Google Threat Intelligence Group, supplemented by InfoLight.UA)

The Google Threat Intelligence Group has detected a new Russian hybrid operation (UNC5812) aimed at both disrupting mobilization in Ukraine and possibly obtaining personal data of Ukrainian conscripts. The attackers are using the Telegram channel “Civil Defense” to distribute malware under the guise of “a program to track the location of the TCC employees.”

According to researchers, the operation began in September 2024. The attackers created the website civildefense[.]com.ua and the corresponding Telegram channel, through which they distribute malware for Windows and Android. The programs allegedly allow tracking the location of TCC employees, but in fact install PURESTEALER and CRAXSRAT spyware on victims’ devices.

To distribute their materials, Russian operators buy advertising on Ukrainian Telegram channels, including channels with air raid alerts. In parallel with the distribution of malware, an active information campaign against mobilization in Ukraine is underway.

According to the InfoLight.UA Research and Analysis Group, which has been investigating malicious Russian narratives since May 2022, such operations have become systemic. It is currently difficult to assess whether the main goal was to obtain personal data of Ukrainian men avoiding mobilization, ordinary cyber fraud, or malicious influence on mobilization, but the scheme used is quite typical.

Analysis by InfoLight.UA

The InfoLight.UA research and analysis group, which has been systematically investigating Russian disinformation campaigns since May 2022, has found that the operation detected by Google is part of a much larger strategy. After the direct threat of occupation of Kyiv disappeared, Russia dramatically changed its approach to information warfare, moving from primitive narratives about the “second army of the world” to complex multi-level influence operations.

Our research has revealed three key areas of work of the Russian disinformation machine against mobilization in Ukraine, which are closely intertwined.

The first area is the creation of fakes with a high emotional impact. An illustrative example was the story about the alleged delivery of summonses at the funerals of fallen soldiers. This narrative appeared in the Russian media in January 2024, after which it was “confirmed” by a series of staged videos on TikTok. Characteristically, anonymous accounts with nicknames typical of Russian provocateurs (for example, @vovk14888) were used to create the original content. The people in the videos usually hide their faces with balaclavas, change their voices, and have no identifying marks.

The second area is the creation of “legitimate” sources of disinformation. A striking example was the operation to spread fake news about the “TCC in Moldova” in April 2024. Here we see a classic scheme: pro-Russian politician Tudor Șoilița from the banned in Moldova party SOR creates a provocative video with Ukrainian law enforcement officers who were in Ungheni for an official FRONTEX training. This information is then simultaneously disseminated by allegedly Ukrainian “human rights activists” and openly pro-Russian channels, several minutes apart. After that, the fake is “legalized” through a post by Ukrainian Armed Forces soldier Ihor Kryvoruchko, which is picked up by dozens of Facebook groups.

The third, most systematic area is the creation of a network of “experts” and “human rights activists.” Here, the connection between the anti-vaccination movement of 2020-2021 and the current anti-mobilization campaign is particularly telling. One of the key roles in this network is played, for example, by the NGO Dosta-Ukraine, which has an extensive structure throughout the country. Its regional representatives, such as Marian Chava in Lviv, create provocations with representatives of the TCC, film them and distribute them through a powerful network of YouTube channels.

This network includes “lawyer-bloggers” in all key regions: Lviv, Odesa, Kyiv, Poltava, Chernivtsi, and other cities. Their channels have between 100 and 500 thousand subscribers, and some of their videos have up to a million views. It is noteworthy that these same individuals were previously active opponents of vaccination and quarantine restrictions.

A particular danger is that these “experts” are actively quoted by the central Ukrainian media. This creates the effect of legitimizing anti-mobilization narratives in the media space.

Since the end of 2022, InfoLight.UA has been using the Osavul platform to monitor these processes, which has allowed us to systematize information about Russia’s activities to disrupt mobilization. Our data show that this network is not just spreading disinformation, but is trying to create parallel structures under the guise of “territorial communities” and is systematically working to undermine trust in state institutions.

Below is the full translation of the material from Google Threat Intelligence Group “Hybrid Russian espionage and influence campaign aims to compromise Ukrainian conscripts and spread anti-mobilization narratives”.

Before that, we would like to point out that the example given in the article is actually about a fairly small channel in terms of reach. At its peak, according to Telemetr.io, it had 500 subscribers.

And the channels that advertised it have all the signs of fake views. That is, these are fake channels that hide malware and a website that looks like a depository.

However, the main emotional triggers for Ukrainians were used: the distribution of summonses (the location of TCC employees) and air raids. Given that in September and October the number of drone attacks on the rear of the city became as intense as possible, we can say that this is not an isolated and coordinated attack.

Google Threat Intelligence Group

In September 2024, the Google Threat Intelligence Group (consisting of the Google Threat Analysis Group (TAG) and Mandiant) identified UNC5812, a suspected Russian hybrid espionage and influence operation that distributed malware for Windows and Android using a Telegram persona called “Civil Defense.” “Civil Defense claims to be a provider of free software designed to allow potential recruits to view and share crowdsourced addresses of Ukrainian military recruiters. If installed with Google Play security disabled, these apps deliver a victim a variant of commodity malware for a specific operating system along with a decoy mapping app we track called SUNSPINNER. In addition to using its Telegram channel and website to deliver malware, UNC5812 is also actively engaged in influence activities, spreading narratives and soliciting content aimed at undermining support for Ukraine’s mobilization efforts.

Figure 1: Personnel UNC5812 “Civil defense”

Targeting Telegram users.

UNC5812 malware delivery operations are carried out both through the Telegram channel@civildefense_com_uaand the website located at civildefense[.]com.ua. The website was registered in April 2024, but the Telegram channel was created only in early September 2024, when we believe the UNC5812 campaign became fully operational. In order to attract potential victims to these actor-controlled resources, we believe that UNC5812 is likely to buy promoted posts on legitimate, established Ukrainian-language Telegram channels.

• On September 18, 2024, a legitimate channel with over 80,000 subscribers dedicated to missile alerts was spotted promoting the Civil Defense’s Telegram channel and website to its followers.
• An additional Ukrainian-language news channel promoted Civil Defense’s posts as recently as October 8, indicating that the campaign is likely still actively seeking new Ukrainian-speaking communities to target.
• Channels promoting Civil Defense posts advertise the opportunity to contact their administrations about sponsorship opportunities. We suspect that this is a likely vector used by UNC5812 to reach out to relevant legitimate channels to increase the reach of the operation.

Figure 2: Civil Defense propaganda in Ukrainian-language communities dedicated to missile warnings and news

The ultimate goal of the campaign is to get victims to go to a UNC5812-controlled “Civil Defense” website that advertises several different programs for different operating systems. Installing these programs leads to the download of different families of commodity malware…

• For Windows users, the website provides a downloader, publicly tracked as the Pronsis Loader, written in PHP, which compiles to Java Virtual Machine (JVM) bytecode using the open source PHPproject. Once launched, Prosnis Loader initiates a convoluted malware delivery chain, resulting in SUNSPINNER and a product information thief commonly known as PURESTEALER.
• For Android users, the malicious APK file attempts to install a variant of the commercially available CRAXSRAT Android backdoor. Various versions of this payload have been observed, including a variant containing SUNSPINNER in addition to the CRAXSRAT payload.
• Although the Civil Defense website also advertises support for macOS and iPhone, only Windows and Android apps were available at the time of the analysis.

Figure 3: Download page translated from Ukrainian

Notably, the Civil Defense website also contains an unconventional form of social engineering designed to prevent users from suspecting that the APK was delivered outside the App Store and to justify the broad permissions required to install CRAXSRAT.

• The website’s FAQ section provides a strained justification for the Android app being hosted outside the App Store, suggesting that it is an attempt to “protect the anonymity and security” of its users and directing them to a set of accompanying video instructions.
• In the Ukrainian-language video instructions, victims are asked to disable Google Play Protect, a service used to check applications for malicious functionality when they are installed on Android devices, and to manually enable all permissions after the malware is successfully installed.

Figure 4: Screenshots of video instructions on how to disable Google Play Protect and manually enable CRAXSRAT permissions

Operation to counter mobilization

In parallel to distributing malware and gaining access to the devices of potential recruits, UNC5812 also engages in propaganda activities to undermine mobilization and conscription in Ukraine. The group’s Telegram channel is actively used to encourage visitors and followers to upload videos of “unfair actions of territorial recruitment offices” – content that we believe is intended for further publication to reinforce UNC5812’s anti-mobilization narratives and discredit the Ukrainian military. Clicking on the “Send material” button opens a chat with an account controlled by the attacker https://t[.]me/UAcivildefenseUA…

• The Civil Defense website also features anti-mobilization images and content in Ukrainian, including a special news section that highlights alleged cases of unfair mobilization practices.
• The anti-mobilization content posted on the group’s website and Telegram channel appears to have originated from broader pro-Russian social media ecosystems. In at least one case, a video posted by UNC5812 was shared a day later by the Russian Embassy on the X account in South Africa.

Figure 5: Telegram UNC5812 and the Russian government account “X” post the same video in close proximity to each other, emphasizing their common focus on anti-mobilization narratives

Malware analysis

UNC5812 operates two unique malware delivery chains for Windows and Android devices that are distributed from the group’s website, located at civildefense[.]com[.]ua. The common thread between these different delivery chains is the parallel delivery of a decoy mapping program, tracked as SUNSPINNER, which shows users a map with the alleged location of Ukrainian military personnel from a command and control (C2) server controlled by the militants.

SUNSPINNER.

SUNSPINNER (MD5: 4ca65a7efe2e4502e2031548ae588cb8) is a decoy application with a graphical user interface (GUI) written using the Flutter framework and compiled for Windows and Android environments. On startup, SUNSPINNER attempts to recognize a new “backend server” hostname from http://h315225216.nichost[.]ru/itmo2020/Student/map_markers/mainurl.json, followed by a request for map tokens from https://fu-laravel.onrender[.]com/api/markers, which are then displayed in the GUI.

According to the functionality stated on the Civil Defense website, SUNSPINNER is capable of displaying crowdsourced markers with the locations of Ukrainian military recruiters, with the option for users to add their own markers. However, despite the limited functionality required to register and add markers, the map displayed does not contain any real user input. All the markers present in the JSON file extracted from the C2 SUNSPINNER infrastructure were added on the same day by the same user.

Figure 6: Decoy app for monitoring the location of Ukrainian military recruiters

Windows – Pronsis Loader to PURESTEALER

The Windows bootloader downloaded from the Civil Defense website, CivilDefense.exe (MD5: 7ef871a86d076dac67c2036d1bb24c39), is a custom build of Pronsis Loader, a recently discovered commodity malware used primarily by financially motivated attackers.

The Pronsis downloader is used to retrieve both the SUNSPINNER decoy binary and the second-stage downloader “civildefensestarter.exe” (MD5: d36d303d2954cb4309d34c613747ce58), which initiates a multi-stage delivery chain via a series of self-extracting archives and ultimately executes PURESTEALER on the victim’s device. The second-stage bootloader is written in PHP and compiled into Java Virtual Machine (JVM) bytecode using the open-source JPHP project, and then compiled as a Windows executable. This file is automatically executed by the CivilDefense installer. .

The final payload is PURESTEALER (MD5: b3cf993d918c2c61c7138b4b8a98b6bf), a highly obfuscated commodity info-stealer written in .NET that is designed to steal browser data such as passwords and cookies, cryptocurrency wallets, as well as from various other applications such as mail and email clients. PURESTEALER is offered for sale by Pure Coder Team at a price ranging from $150 for a monthly subscription to $699 for a lifetime license.

Android – CraxsRAT.

The Android Package (APK) file downloaded from the Civil Defense website “CivilDefensse.apk” (MD5: 31cdae71f21e1fad7581b5f305a9d185) is a variant of the commercially available CRAXSRAT Android backdoor. CRAXSRAT provides functionality typical of a standard Android backdoor, including file management, SMS management, contact and credential collection, and a number of location, audio, and keystroke monitoring capabilities. Like PURESTEALER, it is also available for sale on underground forums.

The Android sample that was distributed during the analysis only displayed a splash screen with the Civil Defense logo. However, an additionally identified sample (MD5: aab597cdc5bc02f6c9d0d36ddeb7e624) contained the same SUNSPINNER decoy app as the one in the Windows delivery chain. When opened, this version asks the user for REQUEST_INSTALL_PACKAGES permission for Android, which, if granted, downloads the CRAXSRAT payload from http://h315225216.nichost[.]ru/itmo2020/Student/map_markers/CivilDefense.apk..

Figure 7: Error message displayed if the user does not grant REQUEST_INSTALL_PACKAGESpermission

Protecting our users

To combat serious threats, we use our research findings to improve the security of Google products. Once detected, all identified websites, domains, and files are added to Safe Browsing to protect users from further exploitation.

Google also constantly monitors the presence of Android spyware, and we deploy and continuously update protections in Google Play Protectwhich offers users protection on and off Google Play by scanning devices for potentially malicious apps regardless of the source of installation. Notably, the UNC5812 civilian defense website specifically included social engineering content and detailed video instructions on how the targeted user can disable Google Play Protect and manually enable the Android permissions required by CRAXSRAT to function. Safe Browsing also protects Chrome users on Android by showing them warnings before visiting unsafe sites. The app scanning infrastructure protects Google Play and allows Verify Apps to further protect users who install non-Google Play apps.

We also shared our findings with the national authorities of Ukraine, who took steps to prevent the campaign from being conducted by blocking the actor-controlled website Civil Defense from being allowed to operate at the national level.

Summary.

The hybrid espionage and information operation UNC5812 against potential Ukrainian conscripts is part of a broader surge in operational interest by Russian threat actors following changes to Ukraine’s national mobilization legislation in 2024. In particular, we have seen an increase in targeting of potential conscripts following the introduction of Ukraine’s national digital military identification system, which is used to manage the data of conscripts and speed up recruitment. According to EUvsDisinfo research, we also continue to see persistent efforts by pro-Russian actors to spread messages that undermine Ukraine’s mobilization efforts and sow public distrust of the officials who conduct them.

From a technology perspective, the UNC5812 campaign is very typical of Russia’s emphasis on achieving cognitive effects through its cyber capabilities and highlights the important role that messaging apps continue to play in the spread of malware and other cyber dimensions of Russia’s war in Ukraine. We believe that as long as Telegram remains a critical source of information in times of war, it will almost certainly remain a major vector of cyber activity for a range of Russia-related espionage and influence.

Indicators of compromise

For a more complete set of UNC5812 compromise indicators, Google Threat Intelligence Collection is available for registered users.