A new Russia-linked cyber campaign targeted Ukrainian draft-age men with information-stealing malware as part of a broader effort to undermine the country’s mobilization and military recruitment plans. 

As part of the campaign, which ran from September until mid-October, the hackers tracked as UNC5812 promoted “free software programs” purportedly designed to help potential Ukrainian conscripts view and share crowdsourced locations of military recruiters, according to a report published by Google Monday.

Once installed, these programs delivered malware alongside a decoy app tracked as Sunspinner. The hackers developed different malware variants for both Windows and Android users.

This is not the first time Russia-linked threat actors have targeted Ukraine’s potential conscripts. Earlier in October, Ukraine’s computer emergency response team (CERT-UA) discovered a campaign distributing MeduzaStealer malware via a Telegram account disguised as a technical support bot for users of the new Ukrainian government app Reserve+.

For its operation, UNC5812 created a dedicated Telegram channel called Civil Defense, as well as a website that’s been labeled as dangerous by Google at the time of writing. To attract potential victims, the hackers likely purchased ads in legitimate Ukrainian-language Telegram channels with thousands of subscribers, researchers said.

For Windows users, the hackers' website delivers Pronsis Loader downloader, which was previously linked to financially-motivated threat actors. It installs PureStealer, an info-stealing malware that harvests browser data, cryptocurrency wallets and information from other apps.

For Android users, the malicious files attempt to install a variant of the commercially available Android backdoor CraxsRAT, capable of stealing credentials, monitoring the victim’s location and recording audio and keystrokes.

In an instructional video, the threat actor shows victims how to disable Google Play Protect — a service that scans applications for harmful functionality — and manually enable all permissions after installing the malware.

Influence operation

Beyond compromising devices, UNC5812 is engaged in influence activities aimed at reinforcing anti-mobilization narratives and discrediting the Ukrainian military, Google said. 

The hackers’ Telegram channel, for example, encourages visitors and subscribers to upload videos of “unfair actions” at recruitment centers. In one instance, a video shared by UNC5812 was reposted the following day by the Russian Embassy on South Africa's X (formerly Twitter) account.

The threat actor’s website also publishes Ukrainian-language anti-mobilization content, including a news section highlighting alleged cases of unjust mobilization.

Google noted that UNC5812's campaign against potential Ukrainian recruits is part of “a wider spike in operational interest from Russian threat actors following changes to Ukraine’s national mobilization laws in 2024.”

The operation also underscores the critical role that messaging apps continue to play in malware distribution and other cyber dimensions of Russia’s war in Ukraine.

“We assess that as long as Telegram remains a critical source of information during the war, it will almost certainly continue to serve as a primary vector for cyber-enabled activity by various Russian-linked espionage and influence actors,” Google said.