Hackers pose as women seeking romance to spy on Russian soldiers

A previously undocumented cyber espionage group has been attempting to compromise the smartphones, computers and Telegram accounts of Russian military personnel by posing as women seeking romantic relationships, researchers have found.

The group, dubbed SiribClone by Russian cybersecurity firm F6, has been active since at least the summer of 2025 and has primarily targeted members of the Russian armed forces stationed in border regions and combat zones.

The campaign appears aimed at gathering battlefield intelligence by stealing files, monitoring communications and collecting sensitive military information from Russian troops deployed near the front line, researchers said in a report released last week.

The hackers impersonated women seeking romantic relationships or volunteers offering humanitarian assistance to initiate conversations with servicemen on Telegram and other messaging platforms before persuading them to download malicious applications or enter their Telegram credentials on spoofed websites.

Victims were tricked into clicking malicious links under various pretexts. In some cases, the attackers claimed to have developed a new application and asked users to test it. In others, they proposed exchanging intimate photographs through what appeared to be a secure photo-sharing application.

Instead, the application installed previously undocumented Android spyware that researchers named SafeLoveStealer. According to the report, the malware can steal photographs, videos, documents, location data and other information from infected devices while also allowing attackers to remotely activate the target’s microphone and record conversations.

The group also operates phishing websites disguised as Telegram login pages, Telegram community invitations, medical test portals and other online services. Victims are prompted to enter their phone number, Telegram verification code and two-factor authentication password, allowing attackers to take control of their accounts and monitor their communications.

In addition to mobile spyware, the group deployed previously undocumented malware for desktop computers, dubbed SiribGrabber, whose primary purpose is to steal files from infected systems.

In this campaign, detected between January and February of this year, the hackers sent victims ZIP archives disguised as military-related documents. After several months of apparent inactivity, the group resurfaced in May with new malware distributed through a website themed around Russia's Victory Day celebrations.

The researchers also discovered an internal management platform used by the hackers, dubbed Kontur, which stores stolen Telegram sessions and allows operators to review intercepted messages. Internal notes within the platform referenced military ranks, unit designations, locations and operational status, suggesting that the campaign is primarily intended for military espionage.

According to F6, SiribClone's operations focus on two objectives: collecting technical, geographic and personal data from infected devices and gaining persistent access to victims' Telegram accounts to intercept communications.

The researchers did not attribute the campaign to any specific country or known threat actor.