Discovered Russian espionage mission to destabilize recruitment in Ukraine thanks to Google TAG.

The Google Threat Analysis Group (TAG), in collaboration with Mandiant, has revealed data about what is presumed to be a Russian-origin spying and influence campaign aimed at demoralizing Ukrainian soldiers and infecting their devices with malware. This operation, categorized as UNC5812, has been presented under the guise of an anti-conscription group called ‘Civil Defense,’ which offers applications and software that allegedly allow potential recruits to view in real-time the locations of Ukrainian armed forces recruiters.

However, the provided applications actually introduced malware instead of the promised mapping software. This malicious effort has been observed by Google TAG and Mandiant, who identified this application as SUNSPINNER.

According to the report, the main objective of the campaign was to have users access a website controlled by UNC5812, where various software programs for different operating systems were advertised. By installing these programs, users were infected with different families of commodity malware. The Civil Defense site was founded in April 2024, although its Telegram account, which directed a high volume of users to the site, was only created in September 2024.

It is understood that the group paid for sponsored posts in popular Telegram groups, one of which had 80,000 subscribers and sent alerts about missiles. When users were redirected to the website, they were offered file options for different operating systems, which they hoped would be some form of mapping software for real-time updates. Instead, they ended up with devices infected by SUNSPINNER malware and information-stealing programs.

The site justified the lack of availability of the applications in the App Store, claiming that downloading through their website would “protect the anonymity and security” of users. Additionally, it included instructional videos on how to install the applications and how to disable Google Play protection.

The Civil Defense Telegram page also urged users to send videos of “unjust acts by territorial recruitment centers,” which were used to reinforce their anti-conscription message and potentially attract more downloads of the military recruitment monitoring application.

The SUNSPINNER application featured a misleading graphical user interface that presented a mapping tool with crowdsourced location markers for Ukrainian recruiters. However, investigations by Google TAG and Mandiant revealed that all the markers had been added by a single person in one day.

Reports indicate that the malware and influence campaign remains active, with the group’s sponsored posts appearing in a Ukrainian news channel as recently as October 8.