The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed details of a new cyberattack targeting the Armed Forces between October and December 2025 with malware known as PLUGGYAPE.
This activity is believed with medium confidence to be the work of a Russian hacker group tracked as Void Blizzard (also known as Laundry Bear or UAC-0190). This threat actor is believed to have been active since at least April 2024.
Attack chains distributing malware use instant messaging Signal and WhatsApp as vectors, with attackers posing as charity organizations persuading targets to click on seemingly innocuous links (“harthulp-ua”)[.]com” or “Solidarity Help”[.]org”) impersonates the Foundation and downloads a password-protected archive.
The archive contains executable files created with PyInstaller that ultimately lead to the deployment of PLUGGYAPE. CERT-UA said that successive iterations of the backdoor added obfuscation and anti-analysis checks to prevent artifacts from being executed in virtual environments.
Written in Python, PLUGGYAPE establishes communication with remote servers via WebSockets or Message Queue Telemetry Transport (MQTT), allowing operators to execute arbitrary code on compromised hosts. Support for communication using the MQTT protocol was added in December 2025.
Additionally, command and control (C2) addresses are obtained from external paste services such as rentry.[.]co and paste bin[.]com, rather than hard-coding the domain directly into the malware itself, it is stored in a base64-encoded format. This allows attackers to maintain operational security and resiliency, allowing them to update their C2 servers in real-time in scenarios where the original infrastructure is detected and down.
CERT-UA stated that “initial interactions with targets of cyberattacks are increasingly carried out using legitimate accounts and phone numbers of Ukrainian mobile carriers, using the Ukrainian language, voice and video communications, and attackers may demonstrate detailed and relevant knowledge of individuals, organizations and their operations.”
“Widely used messengers available on mobile devices and personal computers are becoming the de facto most common channel for delivering software tools against cyber threats.”
In recent months, cybersecurity agencies have also revealed that a threat cluster tracked as UAC-0239 sent phishing emails from UKR.[.]net and Gmail addresses containing links to VHD files (or directly as attachments) pave the way for a Go-based stealer called FILEMESS that collects files matching a specific extension and leaks them to Telegram.
It also dropped an open-source C2 framework called OrcaC2 that enables system operations, file transfers, keylogging, and remote command execution. The operation is said to have targeted the Ukrainian Armed Forces and local governments.
Ukrainian educational institutions and state authorities have also fallen victim to another spear-phishing campaign organized by UAC-0241 that exploits ZIP archives containing Windows shortcut (LNK) files to trigger the execution of HTML applications (HTA) using ‘mshta.exe’.
The HTA payload then launches JavaScript designed to download and run PowerShell scripts, providing an open source tool called LaZagne to recover stored passwords, and a Go backdoor codenamed GAMYBEAR that can receive and execute commands received from the server and send the results over HTTP in Base64 encoded format.
Source link
