Russian Hackers Attacking Ukraine Military With Malware Via Telegram
Oct. 31, 2024, 8 p.m.
Tags
External References
Description
Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys Pronsis Loader, which installs SUNSPINNER (a decoy mapping application) and PURESTEALER (an information-stealing malware). Android users are targeted with CRAXSRAT, a commercial backdoor malware. The operation spreads through promoted posts in legitimate Ukrainian Telegram channels and employs social engineering tactics. The campaign also includes an influence operation sharing anti-mobilization content across pro-Russian social media networks. This cyber-espionage effort aims to exploit recent changes in Ukraine's mobilization laws and the introduction of digital military IDs.
Date
Published: Oct. 31, 2024, 3:14 p.m.
Created: Oct. 31, 2024, 3:14 p.m.
Modified: Oct. 31, 2024, 8 p.m.
Indicators
f2058183f59cba1aed685d44e5c5b9d56995cfa54b38e18889c059b2bde36b3a
d66075b2c70c3de22c9e774ad9e5f88d3d85708d1a5b17ccd4e76049c86b49b5
614e74654773e617475d519edd23380f531b60264fd7f8ed86aebf28efed4e39
4c699f4ddb494bd442aa0cc3eceec77aa72fb41536eff8d09bd601e354130c3e
b4f7414f3c6de7cad88c4178ecfc8201d123fb6db9a5ecd8053f7750757d154e
206.71.149.194
185.169.107.44
Attack Patterns
CRAXSRAT
Pronsis Loader
PURESTEALER
SUNSPINNER
UNC5812
T1608.001
T1588.002
T1189
T1113
T1123
T1005
T1547
T1071
T1102
T1204
T1056
T1584
T1566
T1059
Additional Informations
Defense
Government
Ukraine
Russian Federation