PLUGGYAPE Malware
Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed a new wave of cyber operations aimed at national defense entities. These attacks, observed between October and December 2025, involve a previously undocumented strain of malware dubbed PLUGGYAPE. The campaign highlights a continuing evolution in both social engineering tactics and technical sophistication directed against Ukrainian targets.
Table of Contents
Attribution and Threat Actor Profile
The activity has been linked, with medium confidence, to a Russian-aligned hacking group known as Void Blizzard, also referred to as Laundry Bear or UAC-0190. Intelligence assessments indicate the group has been active since at least April 2024. Their recent operations demonstrate a focused interest in military and defense-related environments.
Social Engineering at the Core of Initial Access
The infection chain begins not with exploits, but with deception. Threat actors initiate contact through widely trusted instant messaging platforms such as Signal and WhatsApp. Posing as representatives of charitable organizations, they persuade victims to open links leading to fake humanitarian websites, including domains like harthulp-ua.com and solidarity-help.org. These sites impersonate legitimate foundations and host password-protected archives that contain the malicious payload.
The attackers increasingly rely on compromised or convincingly prepared accounts tied to Ukrainian mobile operators. Communications are conducted in Ukrainian and may include voice or video calls. In many cases, the adversary demonstrates detailed familiarity with the victim’s background, organization, and operational context, significantly increasing the success of the social engineering effort.
Inside PLUGGYAPE: Malware Capabilities and Evolution
The downloaded archives deploy an executable built with PyInstaller, which installs the PLUGGYAPE backdoor. Written in Python, the malware enables operators to remotely run arbitrary code on infected systems. Over time, newer variants have incorporated stronger obfuscation techniques and anti-analysis mechanisms designed to prevent execution in virtualized or research environments.
PLUGGYAPE communicates with its operators using WebSocket connections and, as of December 2025, also supports the MQTT protocol, expanding its flexibility and resilience. This communication channel allows persistent control over compromised hosts and facilitates rapid tasking by the attackers.
Command-and-Control Resilience and Operational Security
Rather than embedding control server addresses directly in the malware, the operators retrieve Command-and-Control endpoints from public paste services such as rentry.co and pastebin.com. These addresses are stored in base64-encoded form, enabling the attackers to quickly change infrastructure without redeploying the malware. This approach complicates takedown efforts and enhances operational continuity if known servers are discovered and disrupted.
A Broader Shift Toward Messenger-Based Threat Delivery
CERT-UA emphasizes that popular messaging applications on both mobile devices and personal computers are rapidly becoming primary channels for cyber threat distribution. Their ubiquity, combined with user trust and real-time interaction, makes them particularly effective platforms for delivering malicious tools and manipulating victims.
