Sandworm’s Infamous Chisel malware used in attacks on Ukrainian military tablets

Sandworm’s Infamous Chisel malware used in attacks on Ukrainian military tablets

Western intelligence and cybersecurity agencies released a joint technical analysis of a new malware used by the Russian military intelligence service in attacks targeting Ukrainian military personnel.

The campaign, which was publicly disclosed by Ukraine’s security services earlier this month, was attributed to Sandworm, a threat actor linked to military unit 74455, a cyberespionage unit of Russia's military intelligence service.

The threat actor attempted to infect Ukraine’s military network with nearly ten variants of custom malware ranging from Android remote access trojans and Mirai variants to backdoors designed to collect data from Ukraine's Starlink satellite connections.

The goal of the operation was to gather intelligence on the Ukrainian military's operations, technical provisions and movements. This was intended to be achieved by capturing tablets used by the Ukrainian military on the battlefield. Through these tablets the threat actor wanted to gain access to other connected devices and infect them with malware.

Dubbed Infamous Chisel, the malware enables persistent access to an infected Android device over the Tor network, and periodically exfiltrates victim information from compromised devices.

The malware also provides remote access by configuring and executing Tor with a hidden service that forwards to a modified Dropbear binary providing a SSH connection. It is also capable of network monitoring and traffic collection, SSH access, network scanning and SCP file transfer.

“The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defence evasion or concealment of malicious activity,” the report noted. “The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks. Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system.”


Back to the list

Latest Posts

Cyber Security Week in Review: April 25, 2025

Cyber Security Week in Review: April 25, 2025

In brief: A SAP NetWeaver zero-day bug exploited in the wild, DslogdRAT exploits a recent Ivanti flaw, and more.
25 April 2025
ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker is believed to be behind the custom backdoor dubbed ‘LAGTOY.’
24 April 2025
DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce introduced a distributed affiliate branding model.
23 April 2025