Google has warned of a new cyber attack, known as UNC5812, which affects Android and Windows users.
It was discovered in September 2024 and through a Telegram channel called “Civil Defence”, the hackers are spreading the malware under the guise of a mapping tool. Google Threat Analysis Group (TAG) states that the malicious code is being distributed to both Android and Windows devices via Telegram messenger, a rival to WhatsApp, and a similarly named website, reports Forbes.
The malware is spread specifically for the respective operating systems and is masked as a legitimate application. “UNC5812 is also active in advocacy campaigns,” explains a Google TAG spokesperson, with the goal of undermining support for Ukraine’s mobilisation efforts. It seems that the threat actors are buying posts in established Ukrainian-language Telegram channels to spread their agenda.
The cyber attacks have been linked to APT29, a Russian state-backed group also known as ‘Midnight Blizzard’ or ‘Cozy Bear’. Amazon has taken steps to seize the domains used in the campaign.
The attack aims to lure users to a website where different types of malware for Android and Windows can be downloaded. Android users are exposed to a backdoor application called “craxstat”. Google TAG points out that the website also shows support for iOS and Mac OS, although these types of malware were not available at the time of analysis.
How you can stay safe
To protect against this threat, Google TAG urges Android users to use Google Play Protect, which is a security feature that scans and verifies apps.
The hackers in the UNC5812 campaign urge users to install the app from an external source and try to convince them to turn off Google Play Protect, leaving the device vulnerable.
You can also consider using antivirus software on your devices.
This article originally appeared on our sister publication PC för Alla and was translated and adapted from Swedish.
