Detail

The fake account turned out to be @reserveplusbot, a bot that simulated application technical support for conscripts, conscripts, and reservists. According to the State Intelligence Agency, it sends a message that “special software” must be installed and attaches an archive file called “RESERVPLUS.zip”.

CERT-UA researchers found that: archive contains MEDUZASTEALER malwareIt steals files from victims’ devices.

The State Special Communications Service writes that the @reserveplusbot account from May 2024 was indeed listed as one of “Reserve+”‘s technical support contacts. It is not reported what happened to him after this. Presumably, the developers of the service deleted the bot when people talked about the danger of Telegram in Ukraine, and criminals decided to take advantage of this by creating their own bot with the same name. This way they can expect to catch users who are unaware of the removal of the original. Another possibility is that the bot was somehow hijacked by a third party, but it is not yet clear how this is technically possible. While the details of the incident are still becoming clear, no comments have been made on this issue.

Please note that contact links in the Telegram messenger previously published, especially on official pages of government agencies, now lead to a malicious account. Therefore please avoid interacting with or downloading any files from the @reserveplusbot Telegram account,
– he said in the statement.

Although it is not known for sure who is behind it, there are actually not many options. The first suspect is Russia, as the bot steals the data of conscripts, privates, and reservists.