We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Russia Targets Ukrainian Conscripts With Malware

Russia Targets Ukrainian Conscripts With Malware
Husain Parvez Published on 1st November 2024 Cybersecurity Researcher

Russian-linked cyber espionage group UNC5812 has been targeting Ukrainian military conscripts with Windows and Android malware in a sophisticated campaign. Disguised as recruitment avoidance tools, the malware has been distributed via a Telegram channel named “Civil Defense” and a website registered earlier this year. The campaign was uncovered by Google’s Threat Analysis Group (TAG) and Mandiant in late 2024.

The primary target of this cyber campaign is Ukrainian men of draft age. UNC5812 promotes what it claims is “free software” to help users track and avoid military recruiters. The apps, branded as “Sunspinner,” are designed to appear as crowd-sourced tools but instead deliver potent malware to compromise victims' devices.

According to Google’s report, the Android version installs CraxsRAT, a notorious remote access trojan (RAT) with capabilities such as real-time location tracking, keystroke logging, and camera control. On Windows devices, a malicious ZIP file drops Pronsis Loader, which initiates a multi-stage delivery chain that results in the execution of the PureStealer info-stealer.

The persona of "Civil Defense" does not impersonate any legitimate Ukrainian governmental body. Instead, it uses Telegram and a website to distribute anti-recruitment narratives, intending to foster distrust towards Ukraine’s military efforts.

To deceive users, the malware prompts victims to disable Google Play Protect, making the infection process seamless and reducing the likelihood of detection. Once installed, the Android malware exfiltrates sensitive data such as contacts, SMS, and credentials. The Windows malware steals browser-stored information, cryptocurrency wallet details, and other sensitive information.

This campaign fits into a broader Russian strategy to use cyber tools as both espionage and psychological warfare. As The Record highlighted, UNC5812 doesn’t just stop at malware. Its influence operations encourage Telegram followers to submit videos of alleged injustices at recruitment centers, further fueling distrust towards the Ukrainian military.

Google’s TAG emphasized the growing importance of messaging apps like Telegram in the broader cyber dimensions of Russia's war against Ukraine. As long as these platforms continue to serve as crucial information hubs during the war, they are likely to remain central to future cyber operations.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address