Ukraine’s Army Targeted in Charity-Themed Malware Campaign

January 14, 2026 Faeem BLOGS 0

Between October and December 2025, Ukraine’s Defense Forces were hit by a malware campaign disguised as charity outreach, delivering a backdoor called PluggyApe.

Key Findings

  • Threat actors: Likely linked to Russian group Void Blizzard (aka Laundry Bear), though attribution confidence is medium.
  • Past activity: Laundry Bear previously breached Dutch police systems in 2024, stealing sensitive officer data.
  • Target focus: NATO member states, with operations aligned to Russian strategic interests.

Attack Chain

  1. Initial lure:
    • Messages sent via Signal or WhatsApp.
    • Claimed to be from charitable foundations, urging recipients to download password-protected archives.
  2. Payload delivery:
    • Archives contained malicious PIF files (.docx.pif) created with PyInstaller.
    • Sometimes payloads were sent directly through messaging apps.
  3. PluggyApe backdoor:
    • Profiles host system and sends victim identifier to attackers.
    • Waits for remote code execution commands.
    • Achieves persistence via Windows Registry modification.

Evolution of PluggyApe

  • Earlier versions: Used .pdf.exe loaders.
  • December 2025 update (PluggyApe v2):
    • Better obfuscation.
    • MQTT-based communication for stealthy C2.
    • Enhanced anti-analysis checks.
  • C2 infrastructure: Fetches addresses dynamically from rentry.co and pastebin.com (base64-encoded), avoiding hardcoded entries.

Mobile Device Targeting

  • CERT-UA warns mobile devices are increasingly targeted:
    • Poorly protected and monitored compared to desktops.
    • Attackers use compromised accounts and Ukrainian telecom numbers to appear legitimate.
    • Messages often delivered in Ukrainian language, audio, or video, with detailed knowledge of targets to boost credibility.

Defensive Recommendations

  • Awareness training: Educate personnel about charity-themed lures and suspicious file extensions (.pif, .exe).
  • Endpoint monitoring: Detect PyInstaller-based executables and registry persistence attempts.
  • Mobile security: Strengthen monitoring and endpoint protection for smartphones.
  • Threat intel sharing: Leverage IoCs provided by CERT-UA to block malicious domains and infrastructure.

Takeaway

This campaign highlights the weaponization of humanitarian themes to deliver malware against Ukraine’s military. PluggyApe’s evolution—dynamic C2 fetching, MQTT communication, and anti-analysis features—shows a sophisticated, persistent threat designed to evade defenses and exploit trust in charitable causes.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.