UNC5812 Pushes Malware Through Telegram to Disrupt Ukraine’s Mobilization Efforts

The suspected Russian-linked threat group UNC5812 has recently been identified in an influence and espionage campaign targeting Ukraine, specifically aiming to undermine military mobilization efforts, as reported by Google Threat Intelligence Group. Operating through a persona known as "Civil Defense," the group established a Telegram channel and an associated website to disseminate malware disguised as software intended to help Ukrainian citizens monitor military recruitment activities. The website was registered in April 2024, while the Telegram channel became active in early September 2024. UNC5812's strategy includes using promoted posts on legitimate Ukrainian Telegram channels to direct potential victims to their website, fulfilling the group's ultimate goal "to have victims navigate to the UNC5812-controlled 'Civil Defense' website, which advertises several different software programs for different operating systems. When installed, these programs result in the download of various commodity malware families," according to Google Threat Intelligence Group.

On Windows systems, UNC5812 employs a malware chain beginning with Pronsis Loader, which facilitates downloading a decoy mapping application, SUNSPINNER, and the final payload, PURESTEALER. Pronsis Loader, written in PHP and operating within the Java Virtual Machine (JVM) using JPHP compilation, assists in disguising its malicious intent. Upon execution, Pronsis Loader triggers a series of operations, beginning with the download and execution of a second-stage downloader, “civildefensestarter.exe” (MD5: d36d303d2954cb4309d34c613747ce58). This downloader initiates multiple processes, including downloading and launching “cityproduct.exe” within the Temp directory, which subsequently opens additional backdoors and executes PURESTEALER. Processes include 'icacls.exe,' which grants access permissions to Java directories, and a PowerShell command that modifies Windows Defender exclusions to bypass detection. PURESTEALER, a .NET-based information stealer, is designed to capture sensitive data, such as passwords, browser data, and cryptocurrency wallets, facilitating data theft from private individuals and organizational targets.

On Android, UNC5812’s malware chain involves CRAXSRAT, a commercially available backdoor enabling extensive access to device functions, including SMS management, file access, and geolocation monitoring. The Civil Defense website directs users to disable Google Play Protect, making installing the malicious APK file more feasible. An alternative Android payload also delivers the SUNSPINNER decoy mapping application, which attempts to install CRAXSRAT after requesting full device permissions. SUNSPINNER, deployed on both Windows and Android, functions as a visual decoy, claiming to display Ukrainian military locations based on data from a command-and-control (C2) server under UNC5812’s control.

Platform-wise, UNC5812 is reportedly capable of targeting macOS and iPhone devices. However, Google notes that "only Windows and Android payloads were available at the time of analysis." In its influence efforts, UNC5812’s Telegram channel solicits user-generated content to discredit Ukraine's military and mobilization processes, encouraging the submission of video evidence alleging unfair recruitment practices. Anti-mobilization messages are further amplified by cross-posting content from pro-Russian media sources, indicating a coordinated disinformation strategy. This influence operation aligns with broader Russian efforts to foster dissent within Ukrainian society by undermining the legitimacy of its recruitment efforts, a tactic that Google Threat Intelligence Group assesses reflects Russia's ongoing focus on "achieving cognitive effect via its cyber capabilities."