Skip to content

Fake Russian DDoS app is infecting pro-Ukraine activists

  • by
  • 3 min read

Turla, a Russian APT group has been spotted deploying their first Android malware disguised as a DDoS tool against Russia. The malicious app is hosted on, a domain impersonating the Ukrainian Azov regiment and was spotted by Google’s Threat Analysis Group (TAG).

The Android app, claiming to attack Russian internet infrastructure, is still available at the aforementioned domain as an APK download. The app just sends one GET request to the target website, not nearly enough to damage a site’s internet infrastructure.

Fake Russian DDoS app is infecting pro-Ukraine activists
The website of the fake Cyber Azov app.

TAG analysts believe that Turla operators used the StopWar app, developed by pro-Ukrainian developers, as inspiration when creating this fake version. This is the first known instance of Turla distributing Android malware, although TAG believes there was no major impact on Android users and the app’s total downloads are rather minuscule. 

In the News: New Google Wallet is here to replace Google Pay

Financially motivated threat actors moving against Ukraine

TAG also noted that it has seen an increasing number of financially motivated actors targeting the war-torn country. The Follina vulnerability, first disclosed in May, is also being actively exploited by both APT and cybercrime groups throughout June following a patch released by Microsoft. 

The researchers also observed multiple Russian GRU actors, APT28 and Sandworm, running campaigns that exploit the Follina vulnerability that uses compromised government accounts to send links to malicious Office documents hosted on compromised domains targeting media organisations in Ukraine, 

Fake Russian DDoS app is infecting pro-Ukraine activists
An example of the ‘Browser in the browser’ exploit used by Ghostwriter. | Source: TAG

Another campaign from a threat group tracked by CERT-UA as UAC-0098 sent malicious documents laced with the Follina exploit in password-protecting archives impersonating the State Tax Service of Ukraine. Ghostwriter (also known as UNC1151), a Belarusian threat actor, has been actively targeting Polish webmail and social media networks using the ‘Browser in the Browser’ phishing method first noted by TAG in March. 

Another Russian threat actor, Coldriver, known to have leaked sensitive information from a compromised account in a case unrelated to Ukraine, has been sending credential phishing emails to targets, including government and defence officials, politicians, NGOs and think tanks, and journalists. Coldriver is also targeting users by sending them links to PDFs or documents hosted on Google Drive and Microsoft OneDrive containing links to an attacker-controlled phishing domain. 

In the News: You can now place orders and track them on Instagram DMs

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: