Russian soldiers are currently facing a new digital threat, as an Android application has been modified to track their locations and extract sensitive information from their devices. The app in question, Alpine Quest, is a legitimate topographic mapping tool favored by outdoor enthusiasts and, notably, military personnel operating in combat zones. However, a tampered version of this app, embedded with spyware known as Android.Spy.1292.origin, has been circulated by unidentified sources, seemingly aimed at compromising the devices of Russian troops.
According to Russian cybersecurity firm Dr Web, the malware was cleverly integrated into an older version of Alpine Quest and distributed under the guise of a free upgrade to Alpine Quest Pro, which offers enhanced features. “Threat actors embedded Android.Spy.1292.origin into one of the older Alpine Quest app versions and distributed the trojanized variant under the guise of a freely available version of Alpine Quest Pro,” Dr Web reported this week.
To facilitate the spread of the infected application, the perpetrators established a fraudulent Telegram channel that impersonated the app’s legitimate developer. This channel provided links for downloading the app from Russian app catalogs, and the same trojan version was later distributed as an ‘update’ through this channel.
Once installed, the trojan connects silently to a remote command-and-control server, awaiting instructions while transmitting sensitive data back to its operators. The malware is capable of collecting various types of information, including:
- Current date and geolocation
- Downloaded files
- Mobile phone numbers and accounts
- Address lists
- The device’s app version
This is merely the beginning; the malware can also be directed to download and execute additional modules designed to exfiltrate specific files, particularly documents shared via Telegram or WhatsApp, as well as locLog GPS logs generated by Alpine Quest itself. While the source of this operation remains unverified, the nature of the data collection suggests a possible connection to state-sponsored surveillance, potentially linked to Ukrainian interests.
A fake software update hides a nasty surprise
Alpine Quest is not the only digital dilemma facing Russia. Researchers at Kaspersky have uncovered another alarming threat: a sophisticated backdoor concealed within a counterfeit software update. This malware was found embedded in LZH archives that mimic legitimate ViPNet update packages for Windows systems. ViPNet is a trusted secure networking suite widely utilized across various sectors in Russia, including government and finance.
Inside these deceptive archives lies a rogue executable named msinfo32.exe, cleverly borrowing the name from a legitimate Windows system tool to avoid raising suspicion. Kaspersky explained that this program decrypts and unpacks a hidden payload within the archive.
“The msinfo32.exe file is a loader that reads the encrypted payload file. The loader processes the contents of the file to load the backdoor into memory,” Kaspersky stated.
This backdoor is notably versatile, capable of connecting to a command-and-control server via TCP, enabling attackers to steal files from infected computers and deploy additional malicious components. Importantly, Kaspersky clarified that this incident was not a failure on ViPNet’s part; rather, the malware was smuggled in through spoofed update archives, not through any official release.
Meanwhile, the digital war continues
On the other side of the conflict, Russian operatives have been targeting Ukrainian officials and their allies through a persistent phishing campaign aimed at hijacking Microsoft 365 accounts. Victims are approached via Signal or WhatsApp by individuals posing as diplomats from the EU, Romania, Bulgaria, or Poland, luring them with invitations to discuss the ongoing war.
Once the target expresses interest, the attackers employ social engineering tactics and exploit Microsoft’s OAuth 2 authentication workflow—similar to earlier incidents involving device authentication codes—to gain control of the victim’s M365 account. Volexity summarized the attack process as follows:
- The attacker contacts the victim via a messaging application (Signal, WhatsApp) and invites them to a video call regarding the conflict in Ukraine.
- After the victim responds, the attacker sends an OAuth phishing URL, claiming it is necessary to join the video call.
- The victim is then asked to return the Microsoft-generated OAuth code to the attacker.
- If the victim complies, the attacker can generate an access token, granting them access to the victim’s M365 account.
Volexity noted that one campaign even leveraged a compromised Ukrainian government account to enhance the credibility of the ruse. “Like other OAuth phishing techniques, the one used in this campaign involved direct interaction with the victim to have them click a link and supply a code back to the attacker,” the team explained. “This code is then sought by the attacker and used to obtain illicit access to M365 resources.”
