Ukrainian cybersecurity authorities have uncovered a sustained, targeted campaign against Ukraine’s defense forces, orchestrated by Russian-affiliated threat actors that disguise malware distribution as charitable donation requests.
Between October and December 2025, the National Cyber Incident Response Team of Ukraine (CERT-UA) and the Armed Forces Cyber Incident Response Team documented multiple coordinated attacks leveraging a Python-based backdoor called PLUGGYAPE.
The campaign, attributed with moderate confidence to the threat actor known as Void Blizzard (also tracked as Laundry Bear, designated UAC-0190), represents an evolution in social engineering tactics targeting military personnel.
The attack chain begins with messages sent via popular messaging platforms that direct targets to fraudulent websites impersonating legitimate charitable foundations.
These spoofed sites offer document downloads that are typically password-protected archives containing malicious executables.
In many cases, the executable itself arrives directly through the messenger as a .docx.pif file, exploiting the visual similarity to legitimate Word documents.
The dual-extension technique leverages user confusion the file appears to be a document but executes as a Windows program file when clicked.
Analysis of at least five campaigns revealed that the PIF files functioned as PyInstaller-compiled executable wrappers around PLUGGYAPE, a full-featured backdoor developed in Python.
The malware establishes command-and-control communication through WebSocket and MQTT protocols, transmitting data in JSON format.
Upon execution, PLUGGYAPE generates a unique device identifier by hashing hardware characteristics including MAC address, BIOS serial number, disk serial number, and processor identifier using SHA-256, retaining only the first 16 bytes.
The malware achieves persistence by creating registry entries in the Windows Run key, ensuring automatic execution across system reboots while remaining difficult to detect through standard monitoring.
Evolution and Counter-Detection Features
In October 2025, attackers distributed .pdf.exe files functioning as downgrade loaders that fetched a Python interpreter and early PLUGGYAPE variants directly from Pastebin repositories.
By December, threat actors deployed an enhanced, obfuscated version designated PLUGGYAPE.V2, which incorporates MQTT protocol implementation and multiple virtualization detection checks designed to evade analysis in sandbox environments.
Notably, several analyzed samples embedded command-and-control server addresses not as hardcoded values but as BASE64-encoded strings published on services like rentry.co and pastebin.com, enabling rapid infrastructure pivoting without requiring malware recompilation.
CERT-UA emphasizes that the threat landscape continues evolving at an accelerated pace. Attackers increasingly leverage compromised legitimate accounts, Ukrainian mobile operator phone numbers, and fluent Ukrainian language skills combined with detailed organizational knowledge during initial reconnaissance.
Messaging applications installed on mobile and personal computers have effectively become the primary delivery vector for cyber threats against Ukrainian targets.
Organizations and individuals are urged to immediately report suspected compromise indicators to the Armed Forces Cyber Incident Response.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.