Security researchers from Google’s renowned threat analysis group, along with threat intelligence specialists from Mandiant, have confirmed that a dual suspected Russian espionage and influence attack has been underway against Android and Windows users. Here’s what we know so far.

What we know about the UNC5812 cyber attack

Cyberattack UNC5812 was discovered by Google TAG and Mandiant in September 2024 and appears to be a hybrid espionage and influence operation by Russian threat actors. Using a Telegram person identified as “Civil Defense,” threat intelligence analysts said the campaign was used to distribute malware to both Android and Windows users under the guise of a free software provider. The nature of this free software is aimed directly at people. looking to find potential military recruiters in Ukraine. The distribution channel is through both the malicious Telegram civil defense channel and a similarly named website whose website domain was registered in early April.

ForbesNew cyber attack warning — Confirming you’re not a robot can be dangerousOf Davey Winder

The malware itself is operating system specific and is delivered alongside what appears to be a decoy application posing as a mapping tool for the aforementioned recruitment sites. “UNC5812 is also actively engaged in influence activity,” a Google TAG spokesperson said, “providing narratives and soliciting content intended to undermine support for Ukraine’s mobilization efforts.” UNC5812 threat actors are believed to be buying promoted posts on legitimate and already established Ukrainian-language Telegram channels to further expand their influence operation. It would also appear, according to threat intelligence, that the operation is still ongoing, as a Ukrainian-language news channel promoting the posts was seen as recently as October 8. “The campaign is likely still actively seeking new Ukrainian-language communities for targeted engagement,” Google TAG researchers said.

The purpose of the Russian espionage cyber attack

The aim of the Telegram-based campaign is to convince victims to navigate to the website where a variety of malware can be downloaded for both Android and Windows operating systems. Meanwhile, Android users are being targeted by a commercially available backdoor app known as craxstat. Google TAG analysts said the site itself includes support for both iOS and macOS malwarebut none of these payloads were available during the parse operation.

ForbesNSA tells iPhone and Android users: Restart your device nowOf Davey Winder

So how do you prevent yourself from getting caught up in this latest threat campaign, assuming you’ve been targeted and made it all the way to the malware distribution stage? Be sure to use Google Play Protect, Google TAG researchers said. UNC5812 actors have gone to some lengths to convince Android users that they should install the app outside of the App Store and its protections, including justifications for an extensive list of required user permissions, mostly to protect user security and anonymity, ironically .

“UNC5812’s Civil Defense website specifically included social engineering content and detailed video instructions on how the targeted user should disable Google Play Protect,” Google TAG said, “Safe Browsing also protects Chrome users on Android, showing them warnings before visiting dangerous sites. ” Google’s app scanning infrastructure protects Google Play and powers Verify Apps to further protect users who might be caught up in a cyberattack like this with apps installed outside of Google Play.