-
Ukrainian military officials were targeted with fake charity campaigns that delivered PluggyApe backdoor malware.
-
The attacks, from October through December 2025, had connections to the Russian bad actors Void Blizzard, also called “Laundry Bear.”
-
Hackers take advantage of messaging services like WhatsApp and Signal to spread malicious files masked under charitable materials.
Between October and December 2025, executives in Ukraine’s Defense Forces received what appeared like legit charity appeals but actually was sophisticated backdoor malware.
Ukraine’s CERT released a detailed report on the campaign. In its report written in the native Ukrainian language, CERT points to a Russian threat group called Void Blizzard, though they go by another name too: Laundry Bear. The attribution comes with medium confidence, but the evidence is compelling.
A Familiar Threat Actor Returns
Laundry Bear isn’t new to causing havoc. This is the same group that infiltrated Dutch police internal systems back in 2024. They walked away with sensitive information about law enforcement officers. Their track record shows a clear pattern. They consistently target NATO member states in operations that advance Russian interests. Their specialty? Stealing files and emails.
This Russian campaign exemplifies a global landscape where state-backed actors employ highly stealthy techniques for espionage, a realm that also includes Chinese groups using advanced rootkits to mask long-term intelligence operations worldwide.
The latest attacks follow a clever social engineering playbook. It starts with instant messages sent through Signal or WhatsApp. Recipients get told to visit a website supposedly run by a charitable foundation. They’re instructed to download a password-protected archive that claims to contain important documents.
But there’s nothing charitable about what’s inside. The archives actually contain executable PIF files disguised with a “.docx.pif” extension. Sometimes the attackers skip the website entirely and send the PluggyApe payloads directly through the messaging apps.
How the Malware Works
The malicious PIF file is an .exe program created using PyInstaller, an open-source tool. The tool jam packs Python apps into one full-fledged package alongside all dependencies. It then makes the malware appear trustworthy and undetectable.
PluggyApe works as a backdoor immediately after it infects a target. It profiles the infected computer and collects information about the host. This data gets sent back to the attackers along with a unique identifier for each victim. Then it sits awaiting commands to run code. The malware becomes persistent if it modifies the Windows Registry successfully.
The threat actors have been evolving their tactics. In earlier PluggyApe attacks, they used the “.pdf.exe” extension for their loader. Starting in December 2025, they switched things up. Now they’re using PIF files with PluggyApe version 2. This upgraded version brings better obfuscation techniques, MQTT-based communication protocols, and enhanced anti-analysis checks.
The Ukrainian agency also discovered something interesting about the malware’s infrastructure. PluggyApe retrieves its command-and-control server addresses from external sources. Sites like rentry.co and pastebin.com host these addresses in base64-encoded format. This approach is much more flexible than hardcoding the addresses directly into the malware.
This tactic illustrates how threat actors exploit the broader ecosystem of hidden and unregulated online spaces—an ecosystem that also facilitates other global criminal enterprises, such as the dark web drug trade, which is now facing a concerted legislative response from bodies like the US Congress.
Mobile Devices Become Prime Targets
CERT-UA issued a stark warning about mobile device security. These devices have become attractive targets in attacks like this one. The reason is simple: they generally lack robust protection and monitoring compared to desktop systems.
The situation gets worse when attackers do their homework properly. Using compromised accounts or phone numbers from Ukrainian telecommunication operators makes the scams incredibly convincing.
According to CERT-UA, the initial contact with cyberattack targets increasingly happens through legitimate accounts and phone numbers from Ukrainian mobile operators. Communication occurs in Ukrainian, including audio and video calls. The attackers might show detailed and relevant knowledge about specific individuals, their organizations, and how those operations work.
This level of personalization makes the attacks extremely difficult to spot. The combination of legitimate-looking sources, proper language, and insider knowledge creates a nearly perfect disguise.
CERT-UA’s report includes a comprehensive list of indicators of compromise at the end. This includes the deceptive websites that pose as charity portals. Organizations and individuals can use these IoCs to check if they’ve been targeted or compromised.
