Ukraine defense officials targeted by PluggyApe malware campaign

As reported in Bleeping Computer, Ukrainian Defense Forces officials were targeted between October and December 2025 in a sophisticated phishing campaign that delivered backdoor malware known as PluggyApe. The attacks, attributed with medium confidence to the Russian threat group Void Blizzard, also known as Laundry Bear, highlight evolving tactics in cyber warfare.

The campaign utilized a charity theme, with attackers sending instant messages via Signal or WhatsApp to lure targets to a fake charitable foundation website. Recipients were prompted to download password-protected archives, which instead contained malicious PIF files disguised as documents. These files, created using PyInstaller, deployed the PluggyApe backdoor. This malware profiles the host, exfiltrates data, and awaits commands, maintaining persistence through Windows Registry modifications. The threat actors evolved their methods, switching from .pdf.exe loaders to PIF files and an updated PluggyApe version 2 with enhanced obfuscation and anti-analysis features. Command and control addresses were fetched from external sites like rentry.co and pastebin.com.

CERT-UA warns that mobile devices are increasingly vulnerable targets due to weaker security and monitoring. The attackers leveraged compromised accounts and Ukrainian mobile operator numbers, combined with detailed knowledge of targets, making the social engineering highly convincing.

Source: Bleeping Computer