{
	"id": "3afd9f87-49f3-4d6c-9760-9d4bc02e71ab",
	"created_at": "2026-04-06T01:29:36.019241Z",
	"updated_at": "2026-04-10T03:30:33.501623Z",
	"deleted_at": null,
	"sha1_hash": "1d04d54643b8c819f328c30663799e37ad589c83",
	"title": "Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4185120,
	"plain_text": "Hybrid Russian Espionage and Influence Campaign Aims to\r\nCompromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives\r\nBy Google Threat Intelligence Group\r\nPublished: 2024-10-28 · Archived: 2026-04-06 00:50:35 UTC\r\nIn September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and\r\nMandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering\r\nWindows and Android malware using a Telegram persona named \"Civil Defense\". \"Civil Defense\" claims to be a\r\nprovider of free software programs designed to enable potential conscripts to view and share crowdsourced\r\nlocations of Ukrainian military recruiters. If installed with Google Play Protect disabled, these programs deliver an\r\noperating system-specific commodity malware variant to the victim alongside a decoy mapping application we\r\ntrack as SUNSPINNER. In addition to using its Telegram channel and website for malware delivery, UNC5812 is\r\nalso actively engaged in influence activity, delivering narratives and soliciting content intended to undermine\r\nsupport for Ukraine's mobilization efforts.\r\nFigure 1: UNC5812’s \"Civil Defense\" persona\r\nTargeting Users on Telegram\r\nUNC5812’s malware delivery operations are conducted both via an actor-controlled Telegram channel\r\n@civildefense_com_ua and website hosted at civildefense[.]com.ua . The associated website was registered\r\nin April 2024, but the Telegram channel was not created until early September 2024, which we judge to be when\r\nUNC5812’s campaign became fully operational.  To drive potential victims towards these actor-controlled\r\nresources, we assess that UNC5812 is likely purchasing promoted posts in legitimate, established Ukrainian-language Telegram channels. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 1 of 9\n\nOn September 18th 2024, a legitimate channel with over 80,000 subscribers dedicated to missile alerts was\r\nobserved promoting the \"Civil Defense\" Telegram channel and website to its subscribers. \r\nAn additional Ukrainian-language news channel promoting Civil Defense’s posts as recently as October\r\n8th, indicating the campaign is probably still actively seeking new Ukrainian-language communities for\r\ntargeted engagement.\r\nChannels where \"Civil Defense\" posts have been promoted advertise the ability to reach out to their\r\nadministrations for sponsorship opportunities. We suspect this is the likely vector that UNC5812 is using to\r\napproach the respective legitimate channels to increase the operation’s reach.\r\nFigure 2: Civil Defense promoted in Ukrainian-language missile alert and news communities\r\nThe ultimate aim of the campaign is to have victims navigate to the UNC5812-controlled \"Civil Defense\" website,\r\nwhich advertises several different software programs for different operating systems. When installed, these\r\nprograms result in the download of various commodity malware families. \r\nFor Windows users, the website delivers a downloader tracked publicly as Pronsis Loader that is written in\r\nPHP that is compiled into Java Virtual machine (JVM) bytecode using the open source JPHP project. When\r\nexecuted, Prosnis Loader initiates a convoluted malware delivery chain, ultimately delivering\r\nSUNSPINNER and a commodity information stealer commonly known as PURESTEALER. \r\nFor Android users, the malicious APK file attempts to install a variant of the commercially available\r\nAndroid backdoor CRAXSRAT. Different versions of this payload were observed, including a variant\r\ncontaining SUNSPINNER in addition to the CRAXSRAT payload. \r\nWhile the Civil Defense website also advertises support for macOS and iPhones, only Windows and\r\nAndroid payloads were available at the time of analysis.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 2 of 9\n\nFigure 3: Download page, translated from Ukrainian\r\nNotably, the Civil Defense website also contains an unconventional form of social engineering designed to\r\npreempt user suspicions about APK delivery outside of the App Store and justify the extensive permissions\r\nrequired for the CRAXSRAT installation. \r\nThe website’s FAQ contains a strained justification for the Android application being hosted outside the\r\nApp Store, suggesting it is an effort to \"protect the anonymity and security\" of its users, and directing them\r\nto a set of accompanying video instructions. \r\nThe Ukrainian-language video instructions then guide victims on how to disable Google Play Protect, the\r\nservice used to check applications for harmful functionality when they are installed on Android devices, as\r\nwell as to manually enable all permissions once the malware is successfully installed.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 3 of 9\n\nFigure 4: Screenshots of video instructions to turn off Google Play Protect and manually enable CRAXSRAT\r\npermissions\r\nAnti-Mobilization Influence Operation\r\nIn parallel to its efforts to deliver malware and gain access to the devices of potential military recruits, UNC5812\r\nis also engaged in influence activity to undermine Ukraine's wider mobilization and military recruitment efforts.\r\nThe group's Telegram channel is actively used to solicit visitors and subscribers to upload videos of \"unfair actions\r\nfrom territorial recruitment centers,\" content that we judge likely to be intended for follow-on exposure to\r\nreinforce UNC5812's anti-mobilization narratives and discredit the Ukrainian military. Clicking on the \"Send\r\nMaterial\" (Ukrainian: Надіслати матеріал) button opens a chat thread with an attacker-controlled\r\nhttps://t[.]me/UAcivildefenseUA account.\r\nThe Civil Defense website is also interspersed with Ukrainian-language anti-mobilization imagery and\r\ncontent, including a dedicated news section to highlight purported cases of unjust mobilization practices. \r\nAnti-mobilization content cross-posted to the group's website and Telegram channel appears to be sourced\r\nfrom wider pro-Russian social media ecosystems. In at least one instance, a video shared by UNC5812 was\r\nshared a day later by the Russian Embassy on South Africa's X account.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 4 of 9\n\nFigure 5: UNC5812's Telegram and a Russian government X account sharing the same video in close proximity,\r\nhighlighting their shared focus on anti-mobilization narratives\r\nMalware Analysis\r\nUNC5812 operates two unique malware delivery chains for Windows and Android devices that are delivered from\r\nthe group's website hosted at civildefense[.]com[.]ua. Common between these distinct delivery chains is the\r\nparallel delivery of a decoy mapping application tracked as SUNSPINNER, which displays to users a map that\r\nrenders purported locations of Ukrainian military recruits from an actor-controlled command-and-control (C2)\r\nserver.\r\nSUNSPINNER\r\nSUNSPINNER (MD5: 4ca65a7efe2e4502e2031548ae588cb8) is a decoy graphical user interface (GUI)\r\napplication written using the Flutter framework and compiled for both Windows and Android environments. When\r\nexecuted, SUNSPINNER attempts to resolve a new \"backend server\" hostname from\r\nhttp://h315225216.nichost[.]ru/itmo2020/Student/map_markers/mainurl.json , followed by a request for map\r\nmarkers from https://fu-laravel.onrender[.]com/api/markers that are then rendered on the app's GUI.\r\nConsistent with the functionality advertised on the Civil Defense website, SUNSPINNER is capable of displaying\r\ncrowdsourced markers with the locations of the Ukrainian military recruiters, with an option for users to add their\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 5 of 9\n\nown markers. However, despite possessing the limited functionality required for users to register and add markers,\r\nthe displayed map does not appear to have any genuine user inputs. All markers present in the JSON file pulled\r\nfrom SUNSPINNER's C2 infrastructure were added on the same day by the same user.\r\nFigure 6: Decoy application for monitoring the locations of Ukrainian military recruitment staff\r\nWindows — Pronsis Loader to PURESTEALER\r\nThe Windows payload downloaded from the Civil Defense website, CivilDefense.exe (MD5:\r\n7ef871a86d076dac67c2036d1bb24c39), is a custom build of Pronsis Loader, a recently discovered commodity\r\nmalware being operated primarily by financially motivated threat actors. \r\nPronsis Loader is used to retrieve both the decoy SUNSPINNER binary and a second-stage downloader\r\n\"civildefensestarter.exe\" (MD5: d36d303d2954cb4309d34c613747ce58), initiating a multi-stage delivery chain\r\nusing a series self-extracting archives, which ultimately executes PURESTEALER on the victim device. The\r\nsecond-stage downloader is written in PHP and is compiled into Java Virtual machine (JVM) bytecode using the\r\nopen-source JPHP project and then built as a Windows executable file. This file is automatically executed by the\r\nCivilDefense installer. \r\nThe final payload is PURESTEALER (MD5: b3cf993d918c2c61c7138b4b8a98b6bf), a heavily obfuscated\r\ncommodity infostealer written in .NET that is designed to steal browser data, such as passwords and cookies,\r\ncryptocurrency wallets, and from various other applications such as messaging and email clients.\r\nPURESTEALER is offered for sale by \"Pure Coder Team\" with prices ranging from $150 for a monthly\r\nsubscription to $699 for a lifetime license.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 6 of 9\n\nAndroid — CraxsRAT\r\nThe Android Package (APK) file downloaded from the Civil Defense website \"CivilDefensse.apk\" (MD5:\r\n31cdae71f21e1fad7581b5f305a9d185) is a variant of the commercially available Android backdoor CRAXSRAT.\r\nCRAXSRAT provides functionality typical of a standard Android backdoor, to include file management, SMS\r\nmanagement, contact and credential harvesting, and a series of monitoring capabilities for location, audio, and\r\nkeystrokes. Similar to PURESTEALER, it's also available for sale on underground forums.\r\nThe Android sample being distributed at the time of analysis only displayed a splash screen with the \"Civil\r\nDefense\" logo. However, an additional identified sample (MD5: aab597cdc5bc02f6c9d0d36ddeb7e624) was\r\nfound to contain the same SUNSPINNER decoy application as in the Windows delivery chain. When opened, this\r\nversion requests the Android REQUEST_INSTALL_PACKAGES permission from the user, which if granted,\r\ndownloads the CRAXSRAT payload from\r\nhttp://h315225216.nichost[.]ru/itmo2020/Student/map_markers/CivilDefense.apk .\r\nFigure 7: Error message displayed if the user doesn’t grant REQUEST_INSTALL_PACKAGES permission\r\nProtecting Our Users\r\nAs part of our efforts to combat serious threat actors, we use the results of our research to improve the safety and\r\nsecurity of Google’s products. Upon discovery, all identified websites, domains and files are added to Safe\r\nBrowsing to protect users from further exploitation. \r\nGoogle also continuously monitors for Android spyware, and we deploy and constantly update protections in\r\nGoogle Play Protect, which offers users protection in and outside of Google Play, checking devices for potentially\r\nharmful apps regardless of the install source. Notably, UNC5812's Civil Defense website specifically included\r\nsocial engineering content and detailed video instructions on how the targeted user should turn off Google Play\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 7 of 9\n\nProtect and manually enable Android permissions required by CRAXSRAT in order to function. Safe Browsing\r\nalso protects Chrome users on Android by showing them warnings before they visit dangerous sites. App scanning\r\ninfrastructure protects Google Play and powers Verify Apps to additionally protect users who install apps from\r\noutside Google Play. \r\nWe have also shared our findings with Ukraine's national authorities who have taken action to disrupt the\r\ncampaign's reach by blocking resolution of the actor-controlled \"Civil Defense\" website nationally.\r\nSummary\r\nUNC5812's hybrid espionage and information operation against potential Ukrainian military recruits is part of a\r\nwider spike in operational interest from Russian threat actors following changes made to Ukraine's national\r\nmobilization laws in 2024. In particular, we have seen the targeting of potential military recruits rise in\r\nprominence following the launch of Ukraine's national digital military ID used to manage the details of those\r\nliable for military service and boost recruitment. Consistent with research from EUvsDisinfo, we also continue to\r\nobserve persistent efforts by pro-Russia influence actors to promote messaging undermining Ukraine's\r\nmobilization drive and sowing public distrust in the officials carrying it out.\r\nFrom a tradecraft perspective, UNC5812's campaign is highly characteristic of the emphasis Russia places on\r\nachieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps\r\ncontinue to play in malware delivery and other cyber dimensions of Russia's war in Ukraine. We judge that as long\r\nas Telegram continues to be a critical source of information during the war, it is almost certain to remain a primary\r\nvector for cyber-enabled activity for a range of Russian-linked espionage and influence activity. \r\nIndicators of Compromise\r\nFor a more comprehensive set of UNC5812 indicators of compromise, a Google Threat Intelligence Collection is\r\navailable for registered users.\r\nIndicators of Compromise Context\r\ncivildefense[.]com[.]ua UNC5812 landing page\r\nt[.]me/civildefense_com_ua UNC5812 Telegram channel\r\nt[.]me/UAcivildefenseUA UNC5812 Telegram account\r\ne98ee33466a270edc47fdd9faf67d82e SUNSPINNER decoy\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 8 of 9\n\nh315225216.nichost[.]ru Resolver used in SUNSPINNER decoy\r\nfu-laravel.onrender[.]com Hostname used in SUNSPINNER decoy\r\n206.71.149[.]194 C2 used to resolve distribution URLs\r\n185.169.107[.]44 Open directory used for malware distribution\r\nd36d303d2954cb4309d34c613747ce58 Pronsis Loader dropper\r\nb3cf993d918c2c61c7138b4b8a98b6bf PURESTEALER\r\n31cdae71f21e1fad7581b5f305a9d185 CRAXSRAT\r\naab597cdc5bc02f6c9d0d36ddeb7e624 CRAXSRAT w/ SUNSPINNER decoy \r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narr\r\natives\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives"
	],
	"report_names": [
		"russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438976,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d04d54643b8c819f328c30663799e37ad589c83.pdf",
		"text": "https://archive.orkl.eu/1d04d54643b8c819f328c30663799e37ad589c83.txt",
		"img": "https://archive.orkl.eu/1d04d54643b8c819f328c30663799e37ad589c83.jpg"
	}
}