Hackers posing as women seeking relationships or volunteers offering help tricked Russian military personnel into installing spyware or surrendering their Telegram accounts. Researchers at F6 say the previously undocumented SiribClone group has operated since at least summer 2025, targeting troops in border regions and combat zones with Android spyware dubbed SafeLoveStealer, desktop malware called SiribGrabber, and phishing sites masquerading as Telegram logins, invite pages, medical portals, and other services to steal messages, files, location data, and microphone audio.
Why it matters: This is an active espionage campaign aimed at people in combat zones and shows how romance lures and fake support offers can turn personal chats into battlefield surveillance. Anyone in sensitive roles should treat unsolicited Telegram contacts, app downloads, and login pages as high risk, avoid sideloading apps, and use phishing-resistant account protections where possible.
2026.06.09
100% relevant
The article is the first concrete report here tying the SiribClone operation to specific lures, malware families, and Telegram account theft tactics against Russian military targets.
← Back to all stories