# “Civil Defense” Launches Hybrid Espionage/Influence Initiative Aimed at Ukrainian Military Recruits
## Overview
Researchers at Google have revealed a complex operation backed by the Kremlin that targets individuals considering enlistment in the Ukrainian military. This initiative combines espionage efforts with influence strategies, disseminating malware through posts on Telegram and a website masquerading as a source of useful software for Ukrainian conscripts. The campaign, which Google tracks as UNC5812, primarily focuses on Windows and Android systems, installing information-exfiltrating malware while also pushing anti-recruitment narratives to weaken Ukraine’s military enlistment drives.
## The “Civil Defense” Character
At the heart of this operation is a character dubbed “Civil Defense,” which runs a Telegram channel (@civildefense_com_ua) alongside an associated website (civildefense[.]com.ua). These platforms purport to provide free applications that assist users in finding Ukrainian military recruitment offices. However, rather than offering trustworthy tools, the applications install malware engineered to capture sensitive details from the user’s device.
The malware propagates through Telegram posts, shared within authentic Ukrainian-language channels, as well as on the “Civil Defense” website. The initiative’s dual goal is to extract information from prospective military recruits and disseminate disinformation aimed at undermining Ukraine’s conscription efforts.
## Espionage Campaign: Malware Targeting Windows and Android
### Windows Malware
For users on Windows, the malware is introduced via a specialized version of **Pronsis Loader**, a malicious software loader that incorporates **PureStealer**, a widely circulated information-stealing malware. PureStealer is available for purchase online at $150 monthly or $699 for a lifetime subscription, making it an accessible instrument for cybercriminals. Upon installation, PureStealer can siphon off sensitive information such as login credentials, browser history, and other personal data.
### Android Malware
The malware variant targeting Android devices is based on **CraxsRat**, a backdoor program providing attackers with comprehensive control over compromised devices. It is presented to users as an app that they are deceived into downloading from the “Civil Defense” website. During installation, the app prompts users to disable **Google Play Protect**, a security feature that scans for malware on Android platforms. The app also requests extensive system permissions, which it deceptively claims are essential for “ensuring user safety.”
This Android malware poses a significant threat as it can access a variety of sensitive information, including text messages, call history, and geographical data. It also enables remote control of the device, allowing attackers to issue commands, install further malware, and extract data.
### Social Engineering Techniques
Both the Windows and Android iterations of the malware are heavily reliant on social engineering strategies to persuade users to install the harmful software. The “Civil Defense” website and Telegram channel present themselves as trustworthy resources for Ukrainian conscripts, offering seemingly beneficial tools that ultimately compromise the user’s device.
An FAQ section on the website attempts to rationalize why the Android app is absent from the Google Play Store, asserting that sideloading is necessary for security purposes. This is a typical maneuver employed by cybercriminals to circumvent the protective measures of official app stores.
## Influence Campaign: Undermining Ukrainian Military Recruitment
Beyond its espionage endeavors, the UNC5812 campaign actively participates in influence operations intended to disrupt Ukraine’s military recruitment. The “Civil Defense” Telegram channel prompts users to share videos showcasing “unjust actions from territorial recruitment centers,” which are subsequently used to foster anti-mobilization narratives.
The influence tactics aim to discredit the Ukrainian military and instill skepticism among potential recruits. Content shared on the “Civil Defense” website and Telegram channel is frequently derived from pro-Russian social media networks. In one notable instance, a video posted by UNC5812 was seen on the social media account of the Russian Embassy in South Africa merely a day later.
### Promoted Posts in Authentic Channels
To broaden its audience, UNC5812 is reportedly investing in promoted posts within authentic Ukrainian-language Telegram channels. For example, on September 18, 2024, a legitimate channel with over 80,000 subscribers focused on missile alerts endorsed the “Civil Defense” channel and website to its followers. This strategy enables the campaign to reach a vast audience of Ukrainian speakers, many of whom may be potential military recruits.
Researchers suspect that UNC5812 is utilizing sponsorship opportunities to connect with legitimate Telegram channels and promote its material. This approach helps the campaign to blend in with credible information sources, making it more challenging for users to discern the disinformation.
## Broader Context: Russian Cyber Operations
The UNC5812 operation represents just one of numerous cyber initiatives backing Russia’s invasion of Ukraine. In recent months, other Russian-affiliated threat groups have been active in targeting Ukrainian governmental bodies, businesses, and military personnel.
For instance, **APT29**, a group linked to Russia’s Foreign Intelligence Service (SVR), has engaged in phishing campaigns.
