A previously undocumented cyber espionage group has been attempting to compromise the smartphones, computers, and **Telegram** accounts of Russian military personnel. The attackers pose as women seeking romantic relationships or volunteers offering humanitarian assistance. Dubbed **SiribClone** by Russian cybersecurity firm **F6**, the group has been active since at least late 2023. Its primary targets are members of the Russian armed forces stationed in border regions and combat zones. The campaign appears aimed at gathering battlefield intelligence. Researchers report that **SiribClone** steals files, monitors communications, and collects sensitive military information from Russian troops deployed near the front line. ### The Lure of Romance and Aid The hackers initiate conversations with servicemen on **Telegram** and other messaging platforms. They then persuade victims to download malicious applications or enter their **Telegram** credentials on spoofed websites. Victims are tricked into clicking malicious links under various pretexts. Attackers sometimes claim to have developed a new application and ask users to test it. In other instances, they propose exchanging intimate photographs through what appears to be a secure photo-sharing application. ### Unveiling **SafeLoveStealer** and **SiribGrabber** Instead of legitimate applications, the downloaded software installs previously undocumented Android spyware, which researchers named **SafeLoveStealer**. This malware can steal photographs, videos, documents, location data, and other information from infected devices. It also allows attackers to remotely activate the target’s microphone and record conversations. **SiribClone** also operates phishing websites disguised as **Telegram** login pages, community invitations, medical test portals, and other online services. Victims are prompted to enter their phone number, **Telegram** verification code, and two-factor authentication password. This allows attackers to take control of their accounts and monitor communications. For desktop computers, the group deploys another previously undocumented malware, dubbed **SiribGrabber**. Its primary purpose is to steal files from infected systems. In a campaign detected between January and February of this year, hackers sent victims ZIP archives disguised as military-related documents. After several months of apparent inactivity, the group resurfaced in May with new malware distributed via a website themed around Russia's Victory Day celebrations. ### Inside the **Kontur** Platform Researchers also discovered an internal management platform used by the hackers, dubbed **Kontur**. This platform stores stolen **Telegram** sessions and allows operators to review intercepted messages. Internal notes within **Kontur** referenced military ranks, unit designations, locations, and operational status. This strongly suggests the campaign is primarily intended for military espionage. ### Espionage Objectives and Lack of Attribution According to **F6**, **SiribClone**'s operations focus on two main objectives: collecting technical, geographic, and personal data from infected devices, and gaining persistent access to victims' **Telegram** accounts to intercept communications. The researchers did not attribute the campaign to any specific country or known threat actor. This leaves the ultimate origin and sponsors of **SiribClone** unknown for now.