Hackers have been identified targeting the devices of Ukraine’s draft-aged men with a malicious software known as MeduzaStealer, researchers have confirmed. MeduzaStealer, known for its ability to extract sensitive information such as login credentials, computer data, browsing history, and password manager content, was previously associated with threat actors linked to Russia. Last year, a threat actor identified as UAC-0050 utilized this malware to infiltrate targets in Ukraine and Poland.
A recent report from Ukraine’s computer emergency response team (CERT-UA) has revealed that unidentified hackers have deployed MeduzaStealer through a Telegram account posing as a technical support bot for users of the Reserve+ app, a new Ukrainian government application released earlier this year. The Reserve+ app allows Ukrainian men subject to military service to update their personal information online, eliminating the need for physical visits to enlistment offices. Due to the sensitive nature of the data collected by the app, it has become an appealing target for cybercriminals.
In the latest campaign examined by CERT-UA, hackers impersonated Reserve+ customer support representatives and instructed users to upload a ZIP archive supposedly containing guidelines for updating their personal information as required by military officials in Ukraine. Upon opening the deceptive file, the targeted devices were infected with MeduzaStealer, designed to extract specific document formats before erasing itself from the system.
Although CERT-UA’s report did not disclose the number of victims affected by this cyber attack or the potential motives behind the data theft, as of July, more than 4.5 million Ukrainians had used Reserve+ to manage their personal information. Furthermore, in a separate incident earlier in August, the Ukrainian Defense Ministry uncovered three counterfeit Reserve+ applications, likely created to gather personal data from Ukrainian conscripts for future malicious activities or psychological warfare tactics.
Past instances have depicted Russia-linked hackers exploiting popular mobile applications and messaging platforms like Signal and Telegram to target Ukraine’s military personnel. For example, in a previous occurrence in September, hackers leveraged Signal to infect devices utilized by Ukrainian soldiers with malware concealed within files masquerading as military software. The objective of these attacks, as outlined by CERT-UA, was to acquire access credentials for specialized military systems and pinpoint the locations of the targeted soldiers.
The prevalence of cyber threats targeting individuals associated with Ukraine’s military and national security apparatus underscores the ongoing challenges posed by malicious actors seeking to exploit vulnerabilities within digital platforms. In response to these evolving threats, heightened vigilance and enhanced cybersecurity measures are imperative to safeguard sensitive data and protect against potential breaches in the future.