Google has warned of a new cyberattack, known as UNC5812, affecting Android and Windows users.
It was discovered in September 2024 and through a Telegram channel called “Civil Defense”, hackers spread the malware under the guise of a mapping tool. Google Threat Analysis Group (TAG) says the malicious code is distributed to Android and Windows devices through Telegram Messenger, a WhatsApp rival, and a website of the same name, Forbes reports.
The malware spreads specifically for the respective operating systems and is masked as a legitimate application. “UNC5812 is also active in advocacy campaigns,” says a Google TAG spokesperson, aiming to undermine support for Ukraine’s mobilization efforts. It appears that threat actors are purchasing posts from established Ukrainian-language Telegram channels to spread their agenda.
The cyberattacks have been linked to APT29, a Russian state-backed group also known as “Midnight Blizzard” or “Cozy Bear.” Amazon has taken steps to seize the domains used in the campaign.
The attack aims to lure users to a website where different types of malware for Android and Windows can be downloaded. Android users are exposed to a backdoor app called “craxstat”. Google TAG points out that the website also supports iOS and Mac OS, although these types of malware were not available at the time of analysis.
How to stay safe
To protect against this threat, Google TAG urges Android users to use Google Play Protect, a security feature that scans and verifies apps.
UNC5812 campaign hackers trick users into installing the app from an external source and try to convince them to disable Google Play Protect, thereby leaving the device vulnerable.
You may also consider using antivirus software on your devices.
This article was originally published in our sister publication PC för Alla and has been translated and adapted from Swedish.
