UNC5812: Unmasking the Russian Operation to Sabotage Ukraine’s Military Recruitment
Ddos 
Screenshots of video instructions to turn off Google Play Protect and manually enable CRAXSRAT permissions | Image: Google Threat Intelligence Group
In a revealing discovery, Googleβs Threat Intelligence Group has uncovered a suspected Russian espionage campaign aimed at Ukrainian military recruits. Known as UNC5812, the operation employs both malware and strategic misinformation, cleverly woven together to undermine Ukraineβs mobilization efforts.
According to Google, UNC5812 uses a βCivil Defenseβ persona on Telegram to lure Ukrainian conscripts with βfreeβ tools purportedly for tracking local military recruiters. However, these tools come at a hefty price. Once installed on Android or Windows, they deliver a range of malicious software, including commodity malware such as CRAXSRAT on Android and PURESTEALER on Windows.
A unique aspect of this operation is the βSUNSPINNERβ app, a decoy map program designed to look like a legitimate crowdsourced mapping tool but actually pulling markers from UNC5812βs servers. Googleβs report clarifies, βDespite possessing the limited functionality required for users to register and add markers, the displayed map does not appear to have any genuine user inputs. All markers presentβ¦were added on the same day by the same user.” This controlled environment further suggests the appβs sole purpose is to attract potential recruits while delivering malware in the background.
UNC5812βs tactics reflect Russiaβs dual strategy of cyber infiltration and psychological manipulation. To push its influence further, UNC5812 actively promotes its βCivil Defenseβ channel through established Telegram channels, including missile alert groups, and solicits material to support anti-mobilization narratives. As Googleβs team notes, this campaign underscores how βTelegram continues to be a critical source of information during the war, it is almost certain to remain a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity.”
To counter this operation, Google has taken swift action, adding all identified domains and files to Safe Browsing and collaborating with Ukrainian authorities to curb UNC5812βs reach within the country.
Related Posts:
- New Research Exposes VPN Vulnerability: Port Shadow Attacks Undermine User Privacy
- Misinformation Campaigns Surge in the Philippines Amidst Geopolitical Tensions
- LightSpy Malware Strikes macOS: Your Mac Could be the Target
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
