Summary:
Russian threat group UNC5812 has launched a complex espionage and influence campaign targeting Ukrainian military recruits, deploying malware for both Windows and Android devices. According to Google's Threat Analysis Group, UNC5812 operates under a fabricated "Civil Defense" persona, using a dedicated website and Telegram channel to promote a fake app called "Sunspinner." This app, which allegedly assists recruits in avoiding military conscription, conceals malware installations in the background, enabling extensive data theft and real-time spying capabilities.

The campaign leverages a Telegram channel—detected by Google in September 2024—that had already gathered over 80,000 members. Rather than impersonating government entities, UNC5812's "Civil Defense" persona presents itself as a Ukraine-friendly group offering advice and tools for conscription avoidance. Through this approach, it builds trust with its target audience, engaging users to download the "Sunspinner" app under the guise of a crowd-sourced mapping tool. Once downloaded, this app's fabricated map data merely serves as a cover for installing malware on user devices.

Security Officer Comments:
On Windows, the download executes Pronsis Loader, which fetches additional malicious payloads, including PureStealer—a tool designed to extract sensitive information like account passwords, cookies, cryptocurrency wallet details, email credentials, and data from messaging apps. The Android version is even more invasive, dropping CraxsRAT, a commercially available backdoor that allows UNC5812 to track the victim's location in real time, log keystrokes, activate audio recordings, retrieve contacts, access SMS messages, exfiltrate files, and harvest credentials. The app misleads users into disabling Google Play Protect, Android's built-in anti-malware feature, while urging them to grant it high-risk permissions to bypass default security protections.

Suggested Corrections:
In response, Google has updated its security defenses to counter the threat posed by this campaign. Google Play protections were enhanced to detect and block the Android malware early in its deployment, and Google added the associated domains and files to Chrome's Safe Browsing feature to prevent users from accessing malicious sites. Google has also shared the indicators of compromise ( related to this UNC5812 campaign:

https://cloud.google.com/blog/topic...ilitary-recruits-anti-mobilization-narratives

Link(s):
https://www.bleepingcomputer.com/ne...nian-conscripts-with-windows-android-malware/

https://cloud.google.com/blog/topic...ilitary-recruits-anti-mobilization-narratives