Russian Military Personnel Targeted by Sophisticated Romance Scam
A previously undocumented cyber espionage group, known as SiribClone, has been attempting to compromise the smartphones, computers, and Telegram accounts of Russian military personnel by posing as women seeking romantic relationships. According to researchers at Russian cybersecurity firm F6, the group has been active since at least the summer of 2025 and has primarily targeted members of the Russian armed forces stationed in border regions and combat zones.
Modus Operandi
The hackers impersonate women seeking romantic relationships or volunteers offering humanitarian assistance to initiate conversations with servicemen on Telegram and other messaging platforms. They then persuade their targets to download malicious applications or enter their Telegram credentials on spoofed websites. Victims are tricked into clicking malicious links under various pretexts, including claims of having developed a new application or proposing to exchange intimate photographs through a secure photo-sharing application.
In reality, the application installed is previously undocumented Android spyware, dubbed SafeLoveStealer, which can steal photographs, videos, documents, location data, and other information from infected devices. The malware also allows attackers to remotely activate the target's microphone and record conversations. Additionally, the group operates phishing websites disguised as Telegram login pages, Telegram community invitations, medical test portals, and other online services, prompting victims to enter their phone number, Telegram verification code, and two-factor authentication password.
Malware and Tools
The group has deployed previously undocumented malware for desktop computers, known as SiribGrabber, whose primary purpose is to steal files from infected systems. In one campaign, detected between January and February of this year, the hackers sent victims ZIP archives disguised as military-related documents. After several months of apparent inactivity, the group resurfaced in May with new malware distributed through a website themed around Russia's Victory Day celebrations.
Researchers also discovered an internal management platform used by the hackers, dubbed Kontur, which stores stolen Telegram sessions and allows operators to review intercepted messages. Internal notes within the platform referenced military ranks, unit designations, locations, and operational status, suggesting that the campaign is primarily intended for military espionage.
Objectives and Attribution
According to F6, SiribClone's operations focus on two objectives: collecting technical, geographic, and personal data from infected devices and gaining persistent access to victims' Telegram accounts to intercept communications. The researchers did not attribute the campaign to any specific country or known threat actor, leaving the identity of the perpetrators unknown.
The campaign highlights the evolving nature of cyber threats and the importance of vigilance in the digital age. As cybersecurity threats continue to escalate, it is essential for individuals and organizations to remain informed and take proactive measures to protect themselves from such attacks.
The discovery of SiribClone's activities serves as a reminder of the need for robust cybersecurity measures, particularly in the context of military operations. As the cyberwar between Ukraine and Russia continues to unfold, the importance of protecting sensitive information and communications cannot be overstated.
For Russian military personnel and individuals in similar positions, it is crucial to exercise caution when engaging with unknown individuals online and to be aware of the potential risks associated with downloading applications or entering sensitive information on unverified websites.
Source: The Record