Hackers target Telegram for malware distribution due to its security flaws and user-friendly features that facilitate file sharing.
The anonymity and large user base of Telegram further enhance its attraction to illicit activities.
Google Threat Intelligence Group recently discovered that Russian hackers are attacking the Ukranian military with malware via Telegram.
Technical Analysis
In September 2024, Google’s Threat Intelligence Group, comprising the TAG and Mandiant, uncovered a sophisticated Russian cyber operation codenamed UNC5812 that operated through a deceptive Telegram channel “@civildefense_com_ua” and website “civildefense[.]com.ua”.
According to the Google Cloud report, The operation posed as a service providing software to track Ukrainian military recruiters but actually distributed malicious software (malware) targeting both Windows and Android devices.
For Windows users, the operation deployed Pronsis Loader, a downloader written in PHP and compiled into Java Virtual Machine bytecode using JPHP, which then installed two malware variants:-
- SUNSPINNER (a decoy mapping application)
- PURESTEALER (an information-stealing malware)
Android users were targeted with CRAXSRAT, a commercial backdoor malware, which required users to disable Google Play Protect for installation.
All-in-One Cybersecurity Platform Cynet Security delivered 426% ROI – Download TEI Report
The operation spread through promoted posts in legitimate Ukrainian Telegram channels, including a missile alerts channel with 80,000+ subscribers, and continued active promotion until at least October 8th, 2024.
The campaign’s technical sophistication was evident in its multi-stage malware delivery system, which included social engineering tactics to convince users to disable security features and grant extensive permissions.
Simultaneously, UNC5812 conducted an influence operation through its platform that encourages users to submit videos of “unfair actions from territorial recruitment centers” via a dedicated Telegram account (https://t[.]me/UAcivildefenseUA).
While all these things are done by maintaining a news section featuring “anti-mobilization content” that was later shared across pro-Russian social media networks like “Russian Embassy in South Africa’s X (formerly Twitter) account.”
The operation employs a deceptive mapping application called SUNSPINNER (MD5: 4ca65a7efe2e4502e2031548ae588cb8), built using the Flutter framework, which displays fabricated locations of Ukrainian military recruits while connecting to a C2 server at h315225216.nichost[.]ru.
For Windows systems, the attack begins with CivilDefense.exe (MD5: 7ef871a86d076dac67c2036d1bb24c39) by using “Pronsis Loader” to deliver both SUNSPINNER and a secondary downloader “civildefensestarter.exe” (MD5: d36d303d2954cb4309d34c613747ce58).
This led to the installation of PURESTEALER (MD5: b3cf993d918c2c61c7138b4b8a98b6bf) which is a commercial .NET-based information stealer that harvests “browser credentials,” “cryptocurrency wallets,” and “messaging app data.”
The Android attack vector distributes CivilDefensse.apk (MD5: 31cdae71f21e1fad7581b5f305a9d185), which contains CRAXSRAT which is a commercial Android backdoor capable of “file manipulation,” “SMS interception,” “credential theft,” and “comprehensive device monitoring.”
For operational control and data exfiltration, both types of malware keep connecting to the same backend infrastructure through “fu-laravel.onrender[.]com/api/markers.”
This is part of a planned cyber-espionage campaign aimed at Ukrainian military recruitment efforts following recent changes to Ukraine’s mobilization laws and the introduction of digital military IDs in 2024.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
Indicators of Compromise
Indicators of Compromise | Context |
civildefense[.]com[.]ua | UNC5812 landing page |
t[.]me/civildefense_com_ua | UNC5812 Telegram channel |
t[.]me/UAcivildefenseUA | UNC5812 Telegram account |
e98ee33466a270edc47fdd9faf67d82e | SUNSPINNER decoy |
h315225216.nichost[.]ru | Resolver used in SUNSPINNER decoy |
fu-laravel.onrender[.]com | Hostname used in SUNSPINNER decoy |
206.71.149[.]194 | C2 used to resolve distribution URLs |
185.169.107[.]44 | Open directory used for malware distribution |
d36d303d2954cb4309d34c613747ce58 | Pronsis Loader dropper |
b3cf993d918c2c61c7138b4b8a98b6bf | PURESTEALER |
31cdae71f21e1fad7581b5f305a9d185 | CRAXSRAT |
aab597cdc5bc02f6c9d0d36ddeb7e624 | CRAXSRAT w/ SUNSPINNER decoy |