SiribClone Hackers Target Russian Soldiers with Romance Scams and Spyware
A new espionage group, SiribClone, is using fake romantic advances and malicious applications to steal sensitive data and compromise Telegram accounts of Russian military personnel.
A previously undocumented cyber espionage group, identified as SiribClone by cybersecurity firm F6, has been actively targeting Russian soldiers since at least mid-2025. The group employs a sophisticated social engineering tactic, posing as women seeking romantic relationships or offering humanitarian aid to initiate contact with servicemen. These interactions typically occur on platforms like Telegram, where the attackers aim to build trust before persuading their targets to download malicious applications or enter credentials into fake login pages.
The primary objective of SiribClone appears to be the collection of battlefield intelligence. By compromising the smartphones and computers of Russian military personnel stationed in border regions and combat zones, the group seeks to steal files, monitor communications, and gather sensitive military information. The attackers have deployed custom malware, including an Android spyware dubbed SafeLoveStealer, capable of exfiltrating photos, videos, documents, and location data. It also allows for remote activation of the device's microphone for eavesdropping.
Beyond mobile devices, SiribClone also targets desktop computers with its own custom malware, SiribGrabber. This tool is designed to steal files from infected systems. The group has distributed this malware through ZIP archives disguised as military-related documents, aiming to exploit the targets' professional context to bypass suspicion. This tactic highlights the group's focus on espionage and intelligence gathering.
SiribClone's operational methods have evolved, with researchers noting a resurfacing in May after a period of apparent inactivity. The group has employed new malware distributed via websites themed around Russian holidays, such as Victory Day celebrations. This adaptability suggests a persistent and evolving threat actor. The attackers also operate convincing phishing websites that mimic legitimate services like Telegram login pages, medical portals, and community invitations, designed to harvest credentials and session tokens.
Further complicating the threat landscape, SiribClone utilizes an internal management platform called Kontur. This platform serves as a central hub for storing stolen Telegram sessions and allows operators to review intercepted messages. Internal notes found within Kontur reference military ranks, unit designations, locations, and operational status, strongly indicating that the campaign is meticulously designed for military espionage purposes.
The group's operations are focused on two key objectives: acquiring technical, geographic, and personal data from compromised devices, and establishing persistent access to victims' Telegram accounts to intercept communications. While the researchers have not attributed SiribClone to any specific nation-state or known threat actor, the targeting of Russian military personnel and the nature of the intelligence sought point towards a well-resourced and motivated entity.
The campaign's success relies on exploiting human trust and the desire for connection, particularly among soldiers in isolated or high-stress environments. The use of romance scams, combined with sophisticated technical tools, makes SiribClone a significant threat to military communications and operational security. The ongoing nature of the conflict in the region likely provides fertile ground for such espionage operations.