Fake Romance Lets SiribClone Spy on Russian Soldiers

SiribClone shows a blunt truth about cyber espionage in wartime: the easiest path into a soldier’s device may be a fake romantic conversation, not a zero-day.

A previously undocumented group has been trying to compromise smartphones, computers, and Telegram accounts belonging to Russian military personnel by posing as women seeking relationships, according to The Record. The reported targets are members of the Russian armed forces stationed in border regions and combat zones, which makes the campaign less like ordinary romance fraud and more like human intelligence with malware attached.

Romance scams have become a battlefield sensor aimed at Russian soldiers

The reported campaign matters because it moves the point of attack away from hardened military networks and toward personal trust. If F6’s findings are accurate, SiribClone is not merely stealing accounts for resale or nuisance. It appears to be collecting information from troops deployed near the front line.

That changes the frame. Romance-themed outreach is personal. It doesn’t arrive as an obvious military threat. It starts as conversation, flirtation, or help from supposed volunteers offering humanitarian assistance. The question for militaries is uncomfortable: how do you train people to distrust emotional contact without cutting them off from normal life?

The source material says the campaign appears aimed at gathering battlefield intelligence by stealing files, monitoring communications, and collecting sensitive military information. That is a narrow but serious claim. It does not prove battlefield effects. It does show how private devices can become collection points when soldiers carry them into sensitive areas.

XOOMAR analysis: the real signal is not that hackers used romance as bait. That is old. The sharper point is that the bait reportedly fed a chain of spyware, phishing pages, stolen Telegram sessions, and an internal review platform. The social engineering was only the front door.

SiribClone’s dating-style deception targets the chat layer first

F6 says the group has been active since at least the summer of 2025. The reported method was simple: create fake female personas, start conversations with servicemen on Telegram and other messaging platforms, then push victims toward malicious apps or spoofed login pages.

In some cases, attackers claimed they had built a new application and wanted the target to test it. In others, they suggested exchanging intimate photos through what appeared to be a secure photo-sharing app. The practical question is: what does a soldier reveal before realizing the interaction is hostile?

The answer, based on the reported tooling, could be a lot. F6 said the Android spyware, named SafeLoveStealer, can steal photographs, videos, documents, location data, and other information from infected devices. It can also remotely activate the target’s microphone and record conversations.

According to F6, SiribClone's operations focus on two objectives: collecting technical, geographic and personal data from infected devices and gaining persistent access to victims' Telegram accounts to intercept communications.

That second objective is crucial. A compromised Telegram account is not just a hacked inbox. It can expose contacts, ongoing conversations, group membership, and the rhythms of communication around a target.

The known timeline is specific, but the scale is still missing

The public details provide a campaign timeline, not a full damage assessment.

F6 also reported desktop malware named SiribGrabber, deployed in a campaign detected between January and February of this year. Victims received ZIP archives disguised as military-related documents. After several months of apparent inactivity, the group resurfaced in May with new malware distributed through a website themed around Russia's Victory Day celebrations.

The question the report does not answer is scale. There are no confirmed victim counts in the supplied material. No public number for stolen sessions. No disclosed volume of files taken. That absence is a finding in itself. Without those metrics, SiribClone’s effectiveness remains hard to measure.

XOOMAR analysis: this kind of operation can stay useful even without mass compromise. If the targets are in border regions and combat zones, a smaller number of well-placed accounts may matter more than a large number of low-value infections. That is an inference from the targeting described by F6, not a confirmed operational result.

The old honey trap now carries spyware and session theft

SiribClone fits an old intelligence pattern: exploit attraction, ego, loneliness, and trust. The digital version just moves faster. A fake persona can maintain many chats, send links instantly, and harvest both device files and account access.

The question is what changed when the honey trap became software-driven? The answer is persistence. A traditional deception may extract a comment or document. This reported campaign tried to install malware, seize Telegram sessions, and place intercepted messages into an internal platform.

F6 discovered that platform and named it Kontur. The source says it stores stolen Telegram sessions and allows operators to review intercepted messages. Internal notes referenced military ranks, unit designations, locations, and operational status. That detail strongly supports the researchers’ assessment that the operation was intended for military espionage.

For readers tracking different intrusion styles, compare this human-first approach with XOOMAR’s coverage of Miasma Worm Leak Hands Hackers a GitHub Attack Playbook, where code and repositories were the attack surface, and 1,500 Hacked Routers Drag AI Datacenters Into Spy War, where compromised infrastructure became the collection channel. SiribClone’s reported channel is more intimate: the private phone.

Soldiers, commanders, and cybersecurity firms face different versions of the same risk

For an individual soldier, the first risk is personal compromise. A fake relationship can lead to stolen photos, documents, location data, and recorded conversations. The hostile act may not look hostile until after credentials are entered or an app is installed.

For commanders, the problem is broader. Personal devices can create unit-level exposure when messages, files, ranks, locations, and operational status appear inside compromised accounts. The question for military leadership is blunt: can personal communications be allowed near sensitive deployments if adversaries can turn romance chats into account takeover?

For cybersecurity firms, naming a group such as SiribClone serves a defensive purpose. It gives defenders a label, a set of tools, and a pattern to watch. But attribution remains limited. The researchers did not tie the campaign to a specific country or known threat actor, and that restraint matters. In a war context, sloppy attribution can become part of the information fight.

For outside analysts, the campaign sits in a grey zone. It uses deception, malware, phishing, and account monitoring. It targets military personnel but reaches them through private channels. That overlap makes the ethics and operational meaning harder to separate.

Militaries and platforms need to treat emotional manipulation as part of cyber defense

The practical lesson is not “don’t click links.” That advice is too small for this case. SiribClone, as described, used conversation to create enough trust that a link, app, or login page felt plausible.

The better question is: how should defense training change when the lure is emotional rather than technical? Armed forces can warn personnel about fake romantic approaches, requests to test apps, secure photo-sharing claims, and Telegram login pages that ask for verification codes and two-factor passwords. Those details come straight from the reported SiribClone playbook.

Platforms also have a role, though the source does not describe any Telegram response or enforcement action. Based on the reported campaign mechanics, the pressure points are coordinated fake personas, spoofed login pages, suspicious credential flows, and repeat romance-scam patterns aimed at military users.

Ordinary users should pay attention too. The same pattern can support financial scams, blackmail, or identity theft. The target may differ. The emotional hook is the same.

AI personas could make the next SiribClone harder to spot

The forward watch item is whether romance-based espionage becomes more automated. AI-generated profile photos, translated messages, synthetic voice notes, and persona-management tools could make fake relationships cheaper to run and harder to detect. That is XOOMAR analysis, not a claim made by F6.

Evidence that would strengthen this thesis would include future reports showing AI-made personas, larger clusters of coordinated accounts, faster reuse of stolen Telegram sessions, or malware campaigns tied to more convincing fake identities. Evidence that would weaken it would be clearer proof that SiribClone was narrow, short-lived, or ineffective.

For now, the strongest supported conclusion is narrower and still serious: F6 found a previously undocumented campaign that used romance and humanitarian pretexts to target Russian military personnel, deploy SafeLoveStealer and SiribGrabber, phish Telegram credentials, and review stolen sessions through Kontur.

That is enough to show where wartime cyber espionage is heading. The device matters. The account matters. But the first compromise may begin with a stranger who seems interested.

Impact Analysis

• The campaign shows how personal devices can become intelligence targets in active war zones.
• Romance-themed social engineering can bypass hardened military systems by exploiting trust instead of technical flaws.
• The reported targeting of Russian soldiers highlights the growing role of smartphones, Telegram accounts, and private communications in battlefield espionage.