tldr: they mostly use phishing with fake ukrainian army group invites to trick people (from ukrainian army) to link the phone device to a attacker-controlled PC.

Also they try to get the actual database SQL files from Windows devices and Android devices.