Ukrainian officials from the Defense Forces faced significant cyber threats through a charity-themed malware campaign from October to December 2025. This attack involved the deployment of backdoor malware known as PluggyApe, which is believed to be linked to the Russian threat groups Void Blizzard and Laundry Bear. According to a report from Ukraine’s Cyber Emergency Response Team (CERT-UA), the attribution to these groups carries medium confidence.
The Laundry Bear group is notably recognized for a previous breach in 2024, where it infiltrated the internal systems of the Dutch police and accessed sensitive officer information. This ongoing pattern of targeting NATO member states aligns with Russian interests, focusing on data theft through various malicious tactics.
The CERT-UA report details how the attacks initiated through instant messages sent via applications such as Signal and WhatsApp. Recipients were directed to a website purportedly run by a charitable foundation, where they were urged to download a password-protected archive claiming to contain pertinent documents. In reality, these archives contained executable PIF files (.docx.pif) that delivered the PluggyApe payload, sometimes sent directly through messaging platforms.
PluggyApe operates as a backdoor, capable of profiling affected hosts and transmitting information back to the attackers, including a unique identifier for each victim. It also awaits further commands for code execution, achieving persistence through modifications made to the Windows Registry. Earlier versions of PluggyApe utilized the “.pdf.exe” extension, but by December 2025, the actors shifted to using PIF files along with a more advanced version of the malware, designated as PluggyApe version 2. This iteration boasts enhanced obfuscation techniques, MQTT-based communication, and improved anti-analysis measures.
Another concerning development is the method of obtaining command-and-control (C2) addresses. Rather than relying on hardcoded entries, PluggyApe now retrieves these addresses from external platforms like rentry.co and pastebin.com, where they are encoded in base64. This flexibility in command retrieval adds another layer of difficulty for detection and mitigation efforts.
CERT-UA has issued a warning regarding the rising threat to mobile devices, which are often inadequately protected and monitored. The attackers have demonstrated a capacity for meticulous preparation, using compromised accounts and phone numbers belonging to Ukrainian telecommunications operators. This strategy enhances the believability of their attacks.
“Initial interaction with the target of a cyberattack is increasingly carried out using legitimate accounts, phone numbers of Ukrainian mobile operators, and the Ukrainian language, including audio and video communication,”
CERT-UA states. This level of sophistication allows attackers to exhibit detailed knowledge about their targets, including the organizations involved and the specifics of their operations.
The report concludes with a comprehensive list of indicators of compromise (IoCs), which includes deceptive websites masquerading as charity portals. The identification of these threats is crucial for enhancing cybersecurity measures within vulnerable sectors.
This ongoing campaign underscores the persistent vulnerabilities faced by Ukraine’s Defense Forces and other organizations. As cyber warfare tactics evolve, the necessity for robust security protocols and awareness among potential targets remains paramount.