Hackers have targeted the devices of Ukraine’s draft-aged men with MeduzaStealer malware spread through Telegram, researchers have found.
MeduzaStealer was previously used by Russia-linked threat actors to obtain login credentials, computer information, browsing history and data from password managers. Last year, a threat actor known as UAC-0050 deployed the malware against targets in Ukraine and Poland.
According to a new report from Ukraine’s computer emergency response team (CERT-UA), the unidentified hackers recently distributed MeduzaStealer through a Telegram account disguised as a technical support bot for users of the new Ukrainian government app called Reserve+.
Launched earlier this year, the app allows Ukrainian men liable for military service to update their personal data online instead of going to local enlistment offices. Given the sensitivity of the data the app collects, it has become an attractive target for hackers.
In the campaign analyzed by CERT-UA, the hackers posed as Reserve+ customer support and asked users to upload a ZIP archive containing alleged instructions on how to correctly update the personal data required by Ukraine’s military officials.
Once opened, the malicious file infected targeted devices with MeduzaStealer, designed to pilfer documents with certain extensions before self-deleting.
CERT-UA’s report did not mention how many Ukrainians have fallen victim to the attack or how the hackers might use the data they obtain. As of July, over 4.5 million Ukrainians used Reserve+ to update their personal data.
Earlier in August, the Ukrainian Defense Ministry reported the discovery of three fake Reserve+ apps, likely designed to collect the personal data of Ukrainian conscripts and later use it for new attacks or information and psychological operations.
Russia-linked hackers have previously abused popular mobile apps and messengers, including Signal and Telegram, to target Ukraine’s military personnel.
In September, for example, the hackers used Signal to infect devices used by Ukrainian soldiers with malware delivered through files disguised as military software. According to CERT-UA, the goal of those attacks was to steal credentials for special military systems and identify the soldiers’ locations.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
