Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Description

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys Pronsis Loader, which installs SUNSPINNER (a decoy mapping application) and PURESTEALER (an information-stealing malware). Android users are targeted with CRAXSRAT, a commercial backdoor malware. The operation spreads through promoted posts in legitimate Ukrainian Telegram channels and employs social engineering tactics. The campaign also includes an influence operation sharing anti-mobilization content across pro-Russian social media networks. This cyber-espionage effort aims to exploit recent changes in Ukraine's mobilization laws and the introduction of digital military IDs.