Ukrainian Defense Forces have become the target of a sophisticated malware campaign disguised as a charity initiative, according to findings from the country’s Cybersecurity and Data Protection Center (CERT-UA). Between October and December 2025, a malicious group, likely affiliated with Russian threat actors known as Void Blizzard and Laundry Bear, deployed a backdoor malware named PluggyApe.
The attacks began with deceptive instant messages sent via popular messaging platforms like Signal and WhatsApp. Recipients were lured into visiting a fraudulent website that purportedly belonged to a charitable foundation, where they were instructed to download a password-protected archive. Instead of legitimate documents, the archive contained executable files designed to deploy the PluggyApe malware.
Details of the Malware Campaign
The PluggyApe malware functions as a backdoor, enabling attackers to profile infected systems and relay sensitive information back to them. It assigns a unique identifier to each victim and awaits further commands for execution. The malware achieves persistence by modifying the Windows Registry, ensuring it remains active on the infected device. Earlier iterations of this malware utilized a “.pdf.exe” file extension, but by December 2025, the attackers transitioned to using PIF files, marking the introduction of PluggyApe version 2.
This latest version boasts enhanced obfuscation techniques and utilizes MQTT-based communication, making it more resilient against detection. Additionally, the malware retrieves its command-and-control (C2) addresses from external sources, such as rentry.co and pastebin.com, which helps avoid hardcoded entries that can be easily identified.
CERT-UA has emphasized the rising risk posed by mobile devices in such attacks due to their typically weaker security measures. The attackers have shown a methodical approach, using compromised accounts or phone numbers linked to Ukrainian telecommunications to enhance the credibility of their communications.
Increased Complexity of Cyber Attacks
CERT-UA warned that the initial contact in these cyberattacks often employs legitimate accounts and utilizes the Ukrainian language for communication, including audio and video. This creates a convincing facade that can mislead victims. “The attacker may demonstrate detailed and relevant knowledge about the individual, the organization, and the specifics of its operations,” the agency noted in its report.
As cyber threats continue to evolve, CERT-UA has provided a comprehensive list of indicators of compromise (IoCs), which highlights deceptive websites masquerading as charitable portals. The agency’s findings underscore the importance of vigilance among individuals and organizations in Ukraine, particularly as the sophistication of these cyber threats increases.
The ongoing conflict in Ukraine has made its military and governmental systems prime targets for cybercriminals, with attacks often aligning with broader geopolitical interests. As these threats develop, the necessity for robust cybersecurity measures becomes more critical than ever.
