SiribClone Used Romance Lures and Telegram Phishing to Spy on Russian Soldiers
Russian cybersecurity firm F6 says a previously undocumented espionage group it calls SiribClone has targeted Russian military personnel since at least summer 2025, using fake romantic interest and humanitarian-assistance pretexts on Telegram, messaging apps, and dating sites to collect battlefield-relevant intelligence. The operation sought personal data, correspondence, contacts, geolocation, device information, and access to victims’ Telegram accounts, with activity concentrated on servicemen in border regions and combat zones.
Researchers identified two malware families tied to the campaign: SafeLoveStealer for Android, spread through deceptive links and APK files such as Safeintim.apk, and SiribGrabber for Windows, delivered through .LNK files disguised as military-themed documents and later through an "Immortal Regiment" themed website serving malicious archives. F6 also found phishing infrastructure designed to steal Telegram sessionString tokens and an internal operator platform called Kontur used to store hijacked Telegram sessions, review intercepted messages, and track victim details; the company did not attribute the activity to a known threat actor or country.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SiribClone begins targeting Russian military personnel
F6 reported that the previously undocumented espionage group SiribClone has targeted Russian military personnel since at least summer 2025 using social-engineering lures on Telegram and other platforms.
F6 discloses SiribClone espionage campaign and malware families
F6 publicly reported on the SiribClone operation, describing romance and humanitarian-assistance lures targeting Russian soldiers, the SafeLoveStealer Android spyware, the SiribGrabber desktop malware, Telegram credential theft infrastructure, and the internal 'Kontur' platform used to manage stolen Telegram sessions.
SiribClone launches Immortal Regiment-themed lure campaign
In May 2026, F6 observed a new SiribClone campaign using an 'Immortal Regiment' themed website to entice victims to download archives that deployed an updated SiribGrabber malware variant.
Researchers observe SiribClone attacks in January-February 2026
F6 observed attacks during January and February 2026 in which SiribClone used messengers and dating sites to phish Russian military personnel and deliver Android spyware and Windows malware.
SiribClone starts testing its tools
According to F6, SiribClone began testing its malware tooling in December 2025 ahead of later observed attacks against Russian servicemen.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cloaked Ursa Phishes Diplomats With Repurposed Lures and Cloud-Backed Malware
Unit 42 reported that **Cloaked Ursa**—also tracked as **APT29**, **Midnight Blizzard**, **Nobelium**, and **Cozy Bear**—ran phishing campaigns against diplomatic targets in **Ukraine** and **Turkey**, using lures tied to diplomats’ personal and professional interests. In one operation, the group repurposed a legitimate BMW-for-sale flyer originally sent by a Polish Ministry of Foreign Affairs diplomat and redistributed malicious versions to diplomatic missions in Kyiv, reaching at least **22 foreign missions**. A separate campaign targeted the **Turkish Ministry of Foreign Affairs** with a lure themed around humanitarian assistance guidance following the February 2023 earthquakes. The phishing chain redirected victims through URL shorteners to a compromised website that delivered malware through **HTA**, **ISO**, and **LNK** files disguised as PNG images, followed by **DLL sideloading**. Researchers said the payload used the **Microsoft Graph API** and **Dropbox** for command-and-control and shared code and tradecraft with previously reported Cloaked Ursa tooling, including overlap with **QUARTERRIG**, use of `APPVISVSUBSYSTEMS64.dll`, anti-analysis checks, shellcode injection, and obfuscated final-stage payloads. The activity showed a shift toward broadly appealing but individually relevant lures designed to spread more easily within diplomatic circles and improve espionage success.
May 26, 2026
Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (**AIVD** and **MIVD**) warned of a **large-scale Russian cyber campaign** targeting individual **Signal** and **WhatsApp** accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose **security verification codes** and **PINs**. The activity does **not** involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a *Signal Support* chatbot to solicit verification information, enabling account takeover and access to messages and group chats. The agencies also reported abuse of the apps’ **“linked devices”** functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake *Red Alert* Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
Jun 1, 2026
Cavalry Werewolf APT Targets Russian Agencies with FoalShell and StallionRAT
Cavalry Werewolf, an advanced persistent threat (APT) group with reported overlaps to YoroTrooper and other clusters such as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris, has been actively targeting Russian state agencies and critical industries. The group has been observed deploying custom malware families, notably FoalShell and StallionRAT, in a series of sophisticated cyberattacks. According to cybersecurity vendor BI.ZONE, the attackers initiated their campaigns by sending highly targeted phishing emails that masqueraded as official correspondence from Kyrgyz government officials. These emails were crafted to deceive recipients within Russian government agencies, as well as organizations in the energy, mining, and manufacturing sectors. In some instances, the attackers compromised legitimate email accounts belonging to the Kyrgyz Republic's regulatory authority, increasing the credibility and effectiveness of their phishing attempts. The phishing emails typically contained RAR archive attachments, which, when opened, delivered the FoalShell or StallionRAT malware payloads to the victims' systems. FoalShell is a lightweight reverse shell available in Go, C++, and C# versions, enabling attackers to execute arbitrary commands via cmd.exe on compromised machines. StallionRAT, written in Go, PowerShell, and Python, provides similar capabilities, including command execution, file loading, and data exfiltration. The campaign was observed between May and August 2025, indicating a sustained and coordinated effort to infiltrate Russian public sector networks. The technical sophistication of the malware, including its multi-language implementations, suggests a well-resourced and adaptable threat actor. The use of Telegram as a command-and-control (C2) channel has also been reported, allowing the attackers to maintain covert communications and control over infected hosts. The group’s ties to Tomiris, which Microsoft has linked to a Kazakhstan-based actor known as Storm-0473, further suggest a regional nexus and possible state sponsorship. Previous related attacks by ShadowSilk targeted government entities in Central Asia and the Asia-Pacific region, using similar remote access trojans and reverse proxy tools. The ongoing campaign highlights the persistent threat posed by Cavalry Werewolf to Russian governmental and industrial targets, as well as the broader regional implications of their operations. Security researchers emphasize the importance of monitoring for phishing attempts impersonating government officials and the deployment of custom malware families like FoalShell and StallionRAT. The attacks underscore the need for robust email security, user awareness training, and advanced endpoint detection to mitigate the risk from such sophisticated APT campaigns. The incident also demonstrates the evolving tactics of threat actors in leveraging both social engineering and technical innovation to achieve their objectives. Organizations in the targeted sectors are advised to review their security postures and implement proactive threat hunting measures. The campaign serves as a reminder of the complex and dynamic nature of cyber threats facing government and critical infrastructure entities in the region.
Mar 21, 2026