Ukraine’s Military Targeted in Deceptive Charity Malware Attack
▼ Summary
– Ukrainian defense officials were targeted by a malware campaign using fake charity lures delivered via Signal or WhatsApp between October and December 2025.
– The attack, attributed with medium confidence to the Russian group ‘Void Blizzard’/’Laundry Bear’, delivered the PluggyApe backdoor through malicious executable files.
– PluggyApe is a backdoor that profiles the host, sends data to attackers, and achieves persistence via the Windows Registry, with its latest version featuring improved obfuscation.
– The attackers use highly convincing methods, including compromised accounts, Ukrainian phone numbers, and detailed personal knowledge of their targets.
– Ukraine’s CERT warns that mobile devices are prime targets due to poor protection and that the malware fetches its command-and-control addresses from public sites like pastebin.com.
Between late 2025 and early 2026, a sophisticated cyber campaign specifically targeted Ukrainian military personnel. The operation cleverly disguised itself as a charitable initiative, ultimately deploying a powerful backdoor malware known as PluggyApe. Ukrainian cybersecurity authorities attribute this activity with moderate confidence to a Russian-aligned threat group, which also goes by the names Void Blizzard and Laundry Bear. This same entity is infamous for a 2024 breach of Dutch police systems, where sensitive officer data was stolen.
The attack chain begins with highly personalized messages sent via popular encrypted platforms like Signal or WhatsApp. The messages, often appearing to come from trusted contacts or compromised accounts, direct the recipient to a fraudulent website for a supposed charitable foundation. Victims are prompted to download a password-protected archive file said to contain important documents. Instead of legitimate files, these archives harbor malicious executable files with a .docx.pif extension, which are sometimes sent directly through the messaging app.
Technically, the malicious PIF file is a Python application bundled into a single executable using the PyInstaller tool. Once executed, it deploys the PluggyApe payload. This backdoor performs an initial reconnaissance of the infected system, sending detailed host information and a unique victim identifier back to the attackers. It then lies in wait, ready to receive and execute remote commands. To ensure it survives a system reboot, the malware modifies the Windows Registry for persistence.
The threat actors have continuously refined their tools. Earlier iterations of PluggyApe used a “.pdf.exe” extension for the loader. By December 2025, they had upgraded to version 2, employing PIF files and incorporating enhanced obfuscation techniques. This newer version uses MQTT-based communication for stealth and includes additional anti-analysis checks to evade detection. Furthermore, the malware retrieves its command-and-control server addresses dynamically from public text-sharing sites like pastebin.com, where they are stored in base64-encoded form, making the infrastructure more resilient to takedowns.
A particularly concerning aspect highlighted by the report is the focus on mobile devices. Attackers recognize that phones and tablets are often less rigorously protected than traditional computers. They combine this vulnerability with extensive reconnaissance, frequently using compromised Ukrainian phone numbers and social media accounts to build credibility. The use of fluent Ukrainian language in audio and video communications makes the social engineering exceptionally convincing.
The attackers demonstrate an alarming depth of knowledge about their targets, including personal details, organizational roles, and operational specifics. This personalized approach significantly increases the likelihood of a successful compromise. Cybersecurity officials urge heightened vigilance, especially regarding unsolicited messages that urge urgent action or document downloads, even from seemingly familiar sources. A full list of technical indicators, including fraudulent website domains, is available in the official advisory for network defenders to implement protective measures.
(Source: Bleeping Computer)
