UNC5812: Unmasking the Russian Operation to Sabotage Ukraine’s Military Recruitment
In a revealing discovery, Google’s Threat Intelligence Group has uncovered a suspected Russian espionage campaign aimed at Ukrainian military recruits. Known as UNC5812, the operation employs both malware and strategic misinformation, cleverly woven together to undermine Ukraine’s mobilization efforts.
According to Google, UNC5812 uses a “Civil Defense” persona on Telegram to lure Ukrainian conscripts with “free” tools purportedly for tracking local military recruiters. However, these tools come at a hefty price. Once installed on Android or Windows, they deliver a range of malicious software, including commodity malware such as CRAXSRAT on Android and PURESTEALER on Windows.
A unique aspect of this operation is the “SUNSPINNER” app, a decoy map program designed to look like a legitimate crowdsourced mapping tool but actually pulling markers from UNC5812’s servers. Google’s report clarifies, “Despite possessing the limited functionality required for users to register and add markers, the displayed map does not appear to have any genuine user inputs. All markers present…were added on the same day by the same user.” This controlled environment further suggests the app’s sole purpose is to attract potential recruits while delivering malware in the background.
Decoy application for monitoring the locations of Ukrainian military recruitment staff | Image: Google Threat Intelligence Group
UNC5812’s tactics reflect Russia’s dual strategy of cyber infiltration and psychological manipulation. To push its influence further, UNC5812 actively promotes its “Civil Defense” channel through established Telegram channels, including missile alert groups, and solicits material to support anti-mobilization narratives. As Google’s team notes, this campaign underscores how “Telegram continues to be a critical source of information during the war, it is almost certain to remain a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity.”
To counter this operation, Google has taken swift action, adding all identified domains and files to Safe Browsing and collaborating with Ukrainian authorities to curb UNC5812’s reach within the country.
