The Sandworm advanced persistent threat (APT) actor [4], believed to be supported by Russia’s military intelligence agency, the GRU [4] [5], has been attributed with a cyber attack campaign targeting Ukrainian military targets [4].


The Security Service of Ukraine (SBU) initially uncovered the Infamous Chisel malware family used in this campaign [4]. It specifically targeted Android mobile devices owned by Ukraine’s armed forces [4]. Infamous Chisel was designed to gain unauthorized access to compromised devices and operate through the Tor network. It has the capability to scan files, monitor traffic [1] [2] [5], and periodically steal sensitive information [2], including system device information [2] [3], commercial application information [2] [3], and applications specific to the Ukrainian military [2] [3].

The malware has been linked to the Russian GRU’s Main Centre for Special Technologies (GTsST) and the threat actor Sandworm. Infamous Chisel gains persistence by replacing a legitimate system component with a malicious version and uses shell scripts and commands to collect device information and search for specific files [3]. It exfiltrates files using the TLS protocol and a hard-coded IP and port [3], and it also installs a modified version of the Dropbear SSH client for remote access [3].

Despite lacking basic obfuscation or stealth techniques [3], Infamous Chisel poses a serious threat due to the sensitive information it can collect [3]. The UK and international allies have published a report on the malware [5], demonstrating their commitment to assisting Ukraine in the face of Russian cyber attacks [5]. This report can be found on the National Cyber Security Centre (NCSC) website [5].


The Infamous Chisel malware campaign [4], attributed to the Sandworm APT actor supported by Russia’s GRU, has targeted Ukrainian military targets [5]. The malware’s ability to gain unauthorized access, scan files [1] [2] [5], monitor traffic [1] [2] [5], and steal sensitive information poses a serious threat. However, the UK and international allies have shown their commitment to assisting Ukraine by publishing a report on the malware. This highlights the importance of mitigating the impacts of cyber attacks and the need for continued vigilance in the face of future threats.