Pro-Russian Cyber Campaign Targets Ukrainians with Malware and Anti-Mobilization Propaganda
In a concerning development, a sophisticated cyber campaign is targeting Ukrainian internet users, leveraging popular Telegram channels to spread malware and undermine national mobilization efforts. Google has attributed this activity to a threat actor identified as UNC5812, which has been using legitimate Ukrainian-language Telegram channels to distribute dangerous software and anti-mobilization propaganda.
Table of Contents
UNC5812’s Use of Telegram to Reach Victims
In recent months, UNC5812 has purchased promoted posts on legitimate Ukrainian-language Telegram channels to target large audiences, some with as many as 80,000 subscribers. Notably, the campaign has revolved around a website posing as an official "Civil Defense" initiative, luring users with the promise of software to help them stay anonymous and secure online. In reality, this website and its promoted posts are part of a larger scheme to infect devices with malware and conduct influence operations aimed at destabilizing Ukraine’s recruitment efforts.
The Malicious “Civil Defense” Website
The so-called "Civil Defense" website, controlled by UNC5812, claims to provide software for various operating systems, including an Android application available exclusively outside Google Play. This restriction is presented as a security feature, implying it is safer than Play Store offerings. However, this is a cover for distributing malware that can compromise users’ devices.
To successfully install this malware, the website instructs users to disable Google Play Protect—a key security feature that protects Android users from potentially harmful apps—and to manually enable full permissions for the application. By encouraging users to bypass these essential protections, UNC5812 increases the likelihood of infecting devices without detection, granting the malware broad access to device data and functionality.
Influence Activities and Disinformation
In addition to malware distribution, UNC5812 is engaging in influence operations aimed at eroding Ukrainian morale and military support. The "Civil Defense" Telegram channel has actively encouraged users to upload videos that could discredit the Ukrainian military, while promoting narratives opposing mobilization efforts. This channel appears designed to sway public opinion and fuel distrust in Ukraine’s military operations.
The website associated with UNC5812 is also populated with Ukrainian-language content and imagery explicitly opposing mobilization. A "news" section highlights cases of alleged unjust mobilization, capitalizing on any public grievances related to the issue. This multifaceted approach—combining malware with disinformation—points to an effort not only to compromise devices but also to undermine Ukraine’s defense efforts from within.
Google’s Response and Broader Implications
Google has acted swiftly to counter this campaign, notifying Ukrainian authorities of UNC5812’s activities and blocking access to the "Civil Defense" website within Ukraine. Additionally, Google has added the domains and files associated with this campaign to its Safe Browsing feature, aiming to prevent further infection across Google services.
This cyber campaign is emerging at a time when Ukraine has introduced a national digital military ID to streamline the mobilization and management of recruits. According to Google’s findings, this shift has led to increased targeting of potential military recruits, aligning with broader disinformation efforts observed by EUvsDisinfo—a project that tracks misinformation from pro-Russian sources. Together, these findings illustrate a coordinated effort to exploit technological vulnerabilities and socio-political tensions, leveraging both malware and misinformation to destabilize Ukraine’s recruitment infrastructure.
Staying Safe in the Face of Targeted Campaigns
The UNC5812 campaign demonstrates how cyber actors can blend technical attacks with psychological manipulation to achieve strategic goals. For users, especially in Ukraine, heightened awareness of digital security is critical. Basic precautions include downloading apps exclusively from trusted sources like Google Play, avoiding disabling critical security features like Google Play Protect, and remaining vigilant about the legitimacy of Telegram channels promoting controversial content or unsolicited software.
As cyber campaigns continue to evolve in their sophistication and reach, coordinated responses from companies like Google and national authorities will remain essential to mitigate these threats. For individuals, understanding the risks of downloading unauthorized apps and engaging with potentially malicious online content can make a significant difference in staying safe from both malware and influence campaigns.