Ethical Hacking News
Ukraine's army was recently targeted in a charity-themed malware campaign that delivered backdoor malware called PluggyApe. The attackers likely came from the Russian threat group known as 'Void Blizzard' and 'Laundry Bear', although there is medium confidence in attribution. This incident highlights the ongoing efforts by Russian threat groups to disrupt Ukraine's military capabilities, using advanced techniques and tools to target high-value targets.
The Ukrainian army was targeted by a charity-themed malware campaign using PluggyApe backdoor malware.The attacks were attributed to the Russian threat group 'Void Blizzard' and 'Laundry Bear', but with medium confidence.The hackers focused on NATO member states, stealing files and emails in alignment with Russian interests.Recipients were given a password-protected archive that contained the PluggyApe payload when they visited a supposed charitable website.PluggyApe is a backdoor that profiles the host, sends information to attackers, and achieves persistence via Windows Registry modification.The threat actors used better obfuscation, MQTT-based communication, and anti-analysis checks in their latest PluggyApe version.CERT-UA warns that mobile devices are prime targets for these attacks due to poor protection and monitoring.The attackers demonstrate detailed knowledge about the individual, organization, and its operations, making it a concerning attack.
Ukraine's army was recently targeted in a charity-themed malware campaign that delivered backdoor malware called PluggyApe, according to officials from Ukraine's Defense Forces. The attacks were likely launched by the Russian threat group known as 'Void Blizzard' and 'Laundry Bear', although there is medium confidence in attribution.
The hackers are known for focusing on NATO member states in attacks aligned with Russian interests that steal files and emails. In this case, the attacks began with instant messages over Signal or WhatsApp telling recipients to visit a website allegedly operated by a charitable foundation, and download a password-protected archive supposedly containing documents of interest.
However, instead of downloading the supposed documents, recipients were given an executable PIF file (.docx.pif) that contained the PluggyApe payload. This payload is a backdoor that profiles the host, sends information to the attackers, including a unique victim identifier, and then waits for code execution commands. It achieves persistence via Windows Registry modification.
In earlier attacks with PluggyApe, the threat actors used the ".pdf.exe" extension for the loader. However, starting in December 2025, they switched to PIF and PluggyApe version 2, which features better obfuscation, MQTT-based communication, and more anti-analysis checks.
The Ukrainian agency also reports that PluggyApe fetches its command-and-control (C2) addresses from external sources such as rentry.co and pastebin.com, where they are published in base64-encoded form, rather than using less-flexible hardcoded entries.
CERT-UA warns that mobile devices have become prime targets in attacks of this kind, as they are generally poorly protected and monitored. When combined with good attack preparation, like using compromised accounts or phone numbers of Ukrainian telecommunication operators, the attacks can get very convincing.
The attackers may demonstrate detailed and relevant knowledge about the individual, the organization, and the specifics of its operations. This is particularly concerning, as it suggests that the attackers have a good understanding of their targets' systems and operations.
A complete list with the indicators of compromise (IoCs), including deceptive websites posing as charity portals, is provided at the bottom of CERT-UA's report.
The use of charity-themed malware campaigns to target Ukrainian army personnel highlights the ongoing efforts by Russian threat groups to disrupt the country's military capabilities. The fact that the attackers are using advanced techniques and tools, such as MQTT-based communication and base64-encoded C2 addresses, suggests that they have a significant amount of resources at their disposal.
This incident also serves as a reminder of the importance of security awareness and education for individuals working in critical infrastructure sectors, such as defense. With the rise of cyber threats like PluggyApe, it is essential to stay informed about potential attack vectors and take steps to protect oneself and one's organization.
In conclusion, the charity-themed malware campaign targeting Ukrainian army personnel using PluggyApe backdoor malware is a concerning development that highlights the ongoing threat landscape in Ukraine. As cybersecurity professionals and individuals, it is crucial to remain vigilant and take proactive measures to prevent such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Charity-Themed-Malware-Campaign-Targets-Ukrainian-Army-ehn.shtml
https://www.bleepingcomputer.com/news/security/ukraines-army-targeted-in-new-charity-themed-malware-campaign/
https://arstechnica.com/security/2024/10/kremlin-backed-hackers-have-new-windows-and-android-to-foist-on-ukrainian-foes/
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3511738/government-agencies-report-new-russian-malware-targets-ukrainian-military/
Published: Tue Jan 13 17:14:44 2026 by llama3.2 3B Q4_K_M
