Russia Kneecaps Ukraine Army Recruitment With Spoofed Civil Defense App

Posing as an application used to locate Ukrainian military recruiters, a Kremlin-backed hacking initiative delivers malware, along with disinformation designed to undermine sign-ups for soldiers in the war against Russia.

Ukrainian efforts to recruit new soldiers to serve in its military in the countrys war against Russia is under a two-pronged cyberattack by Kremlin-backed threat actors.
Researchers at Googles Threat Intelligence Group (TAG) and Mandiant have tracked down an active campaign that uses a spoofed version of the legitimate Ukrainian-language tool Civil Defense, a crowdsourced mapping tool used to locate military recruiters. Attackers are using the fake version to perform dual malicious actions — dropping malware and delivering misinformation.
The hybrid op, which researchers named UNC5812, uses a Telegram channel to lure perspective recruits to a download the malicious version of Civil Defense from a spoofed site, outside of the confines of Google Play. Once downloaded, the application drops Windows and Android malware.
Windows users who make their way to the fake Civil Defense site to download the tool will be delivered the Pronsis Loader, which then starts a chain to deliver a malicious mapping application called Sunspinner, as well as an infostealer called Purestealer.
Android users, on the other hand, get a common user backdoor called Craxsrat, in addition to Sunspinner.
Notably, the Civil Defense website also contains an unconventional form of social engineering designed to preempt user suspicions about APK delivery outside of the App Store and justify the extensive permissions required for the Craxsrat installation, the report noted. The websites FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to protect the anonymity and security of its users, and directing them to a set of accompanying video instructions.
The video also provides instructions on how to disable Google Play Protect.
While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis, the report said.
Sunspinner, a decoy graphical user interface (GUI) application written using the Flutter framework, offers functionality aimed to convince victims that the application is legitimate.
Consistent with the functionality advertised on the [legitimate] Civil Defense website, Sunspinner is capable of displaying crowdsourced markers with the locations of the Ukrainian military recruiters, with an option for users to add their own markers, according to the Google TAG analysis. But the fake map offers only fake locations: However, despite possessing the limited functionality required for users to register and add markers, the displayed map does not appear to have any genuine user inputs. All markers present [were pulled from the attackers C2 and] were added on the same day by the same user.
In tandem with the espionage effort, the other goal of the Russian fake Civil Defense campaign is to deliver disinformation aimed at suppressing Ukraines military mobilization effort for the war. The malicious versions of Civil Defenses site and Telegram have pushed out videos with incendiary, anti-Ukrainian-military titles like, Unfair Actions From Territorial Recruitment Centers, the
TAG Mandiant report
added.
Users who click on the button provided by the Russian hacker-operated site to Send Material, ostensibly to discredit recruitment efforts, are automatically fed an attacker-controlled chat thread, the report said. Anti-mobilization content cross-posted to the groups website and Telegram channel appears to be sourced from wider pro-Russian social media ecosystems. In at least one instance, a video shared by UNC5812 was shared a day later by the Russian Embassy in South Africas X account.
Russia has consistently used cyberattacks as part of its
war strategy against Ukraine
, as well as against other governments, including a recent distributed denial-of-service (DDoS)
cyberattack campaign against shipping ports in Japan
. Russian hackers have also been working feverishly to distribute
disinformation ahead of the US 2024 election
. The threat group currently understood to be most actively, and directly, supporting Russian military activities in
Ukraine is Sandworm
, but, as this newly uncovered Civilian Defense campaign highlights, thats just one of many hacker groups doing the Kremlins dirty work in cyberspace.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russia Kneecaps Ukraine Army Recruitment With Spoofed Civil Defense App