Sandworm’s Infamous Chisel malware used in attacks on Ukrainian military tablets

Sandworm’s Infamous Chisel malware used in attacks on Ukrainian military tablets

Western intelligence and cybersecurity agencies released a joint technical analysis of a new malware used by the Russian military intelligence service in attacks targeting Ukrainian military personnel.

The campaign, which was publicly disclosed by Ukraine’s security services earlier this month, was attributed to Sandworm, a threat actor linked to military unit 74455, a cyberespionage unit of Russia's military intelligence service.

The threat actor attempted to infect Ukraine’s military network with nearly ten variants of custom malware ranging from Android remote access trojans and Mirai variants to backdoors designed to collect data from Ukraine's Starlink satellite connections.

The goal of the operation was to gather intelligence on the Ukrainian military's operations, technical provisions and movements. This was intended to be achieved by capturing tablets used by the Ukrainian military on the battlefield. Through these tablets the threat actor wanted to gain access to other connected devices and infect them with malware.

Dubbed Infamous Chisel, the malware enables persistent access to an infected Android device over the Tor network, and periodically exfiltrates victim information from compromised devices.

The malware also provides remote access by configuring and executing Tor with a hidden service that forwards to a modified Dropbear binary providing a SSH connection. It is also capable of network monitoring and traffic collection, SSH access, network scanning and SCP file transfer.

“The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defence evasion or concealment of malicious activity,” the report noted. “The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks. Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system.”


Back to the list

Latest Posts

Cyber Security Week in Review: April 4, 2025

Cyber Security Week in Review: April 4, 2025

In brief: New Ivanti zero-day exploited by Chinese hackers, police shut down the Kidflix CSAM platform, and more.
4 April 2025
UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

This activity has been ongoing since at least the fall of 2024.
3 April 2025
Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025