Connect with us

Hi, what are you looking for?



Five Eyes Report: New Russian Malware Targeting Ukrainian Military Android Devices

Five Eyes report details ‘Infamous Chisel’ malware used by Russian state-sponsored hackers to target the Ukrainian military’s Android devices. 

Infamous Chisel malware used by Russia to target Ukrainian military Android devices

Five Eyes agencies have issued a joint report on the malware used recently by Russian state-sponsored hackers to target Android devices belonging to the Ukrainian military. 

The new malware, named Infamous Chisel, is actually a collection of components designed to provide persistent backdoor access to compromised Android devices over the Tor network, and enable the attackers to collect and exfiltrate data.

The campaign has been linked to the threat actor known as Sandstorm, which was previously connected to Russia’s GRU foreign military intelligence agency.

According to the agencies, the Infamous Chisel malware is designed to periodically scan infected Android devices for information and files that could be of interest to the attackers. 

Targeted information includes device details, as well as data associated with commercial apps and applications used by the Ukrainian military. 

“The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks,” the report reads.

In addition, the malware scans the local network for information on active hosts, banners and open ports. Capabilities provided by Infamous Chisel also include SSH access to the device, SCP file transfer, and network monitoring and traffic collection. 

Advertisement. Scroll to continue reading.

“The Infamous Chisel components are low to medium sophistication and appear to have been

developed with little regard to defense evasion or concealment of malicious activity,” the report explains. “Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system.”

The joint report was written by the UK’s National Cyber Security Centre (NCSC); the US’s National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and  Federal Bureau of Investigation (FBI); New Zealand’s National Cyber Security Centre (NCSC-NZ); Canada’s Centre for Cyber Security; and the Australian Signals Directorate (ASD).

The report includes technical details on each Infamous Chisel component, MITRE ATT&CK information, and indicators of compromise (IoCs).

The report does not mention how the malware has been distributed. However, earlier this month, the Security Service of Ukraine (SBU) reported that Russian forces had captured Ukrainian tablets on the battlefield and attempted to use them to spread malware. They also tried to leverage the access provided by the tablets to breach military networks. 

The SBU said the attacks, which involved nearly 10 malware samples designed for stealing information, were linked to the Sandworm group. The agency said the attack attempts were blocked. 

Related: North Korean Hackers Targeted Russian Missile Developer

Related: A Year of Conflict: Cybersecurity Industry Assesses Impact of Russia-Ukraine War

Related: Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...