SecurityWeek reports that Ukrainian military conscripts have been targeted with Android and Windows malware as part of a new attack campaign by the Russian cyberespionage and influence operation UNC5812.
UNC5812 under the guise of "Civil Defense" on Telegram distributed free Ukrainian military recruiter locator software, which when downloaded on Android devices triggered the deployment of the CraxsRat backdoor, which has keystroke tracking, contact and credential exfiltration, and file and SMS management capabilities, as well as the decoy mapping app Sunspinner, according to a report from the Google Threat Intelligence Group. On the other hand, Windows machines targeted by UNC5812 were compromised with the Pronsis Loader malware, which facilitates injection of SunSpinner and PureStealer malware, which allows the theft of data from browsers and other apps. Aside from malware attacks, UNC5812 has also been using the Telegram channel for influence operations. "Consistent with research from EUvsDisinfo, we also continue to observe persistent efforts by pro-Russia influence actors to promote messaging undermining Ukraine’s mobilization drive," researchers said.
