Ethical Hacking News
PLUGGYAPE Malware: A Sophisticated Threat Leveraging Signal, WhatsApp, and Obfuscation Techniques to Target Ukrainian Defense Forces. Learn more about this new strain of malware and its implications for organizations.
The malware PLUGGYAPE was first detected between October and December 2025, attributed to a Russian hacking group. The attack vector uses instant messaging platforms with links leading to password-protected archives containing the malware. PLUGGYAPE is written in Python and establishes communication with a remote server using WebSocket or MQTT. The malware utilizes external paste services to retrieve C2 addresses, maintaining flexibility and resilience. PLUGGYAPE has been linked to spear-phishing campaigns against educational institutions and state authorities in Ukraine. The malware includes a Go backdoor called GAMYBEAR for receiving and executing commands from a server.
PLUGGYAPE Malware is a relatively new strain of malware that has been making headlines in recent months due to its sophisticated tactics and targeting of Ukrainian defense forces. According to the Computer Emergency Response Team (CERT-UA) of Ukraine, this malware was first detected between October and December 2025, with the activity attributed to a Russian hacking group tracked as Void Blizzard (also known as Laundry Bear or UAC-0190).
The attack vector employed by PLUGGYAPE utilizes instant messaging platforms such as Signal and WhatsApp, where threat actors pose as charity organizations to convince targets into clicking on seemingly harmless links. These links lead to password-protected archives that contain an executable file created with PyInstaller, ultimately resulting in the deployment of PLUGGYAPE.
The malware itself is written in Python and establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT), allowing operators to execute arbitrary code on compromised hosts. This feature has been added in December 2025, providing a means for threat actors to maintain operational security and update their command-and-control (C2) servers in real-time.
One of the most striking features of PLUGGYAPE is its use of external paste services such as rentry.co and pastebin.com to retrieve C2 addresses from. This approach allows attackers to avoid hard-coding domain names into the malware itself, thereby maintaining flexibility and resilience. Furthermore, the fact that threat actors are utilizing widely used messengers available on both mobile devices and personal computers underscores the increasingly sophisticated nature of modern cyber threats.
In addition to its targeting of Ukrainian defense forces, PLUGGYAPE has also been linked to spear-phishing campaigns against educational institutions and state authorities in Ukraine, as well as another malicious campaign using ZIP archives containing Windows shortcuts that trigger the execution of an HTA (Active Template) application.
The latter payload, in turn, launches a JavaScript designed to download and execute a PowerShell script, which then delivers an open-source tool called LaZagne to recover stored passwords. Additionally, PLUGGYAPE includes a Go backdoor codenamed GAMYBEAR that can receive and execute incoming commands from a server and transmit the results back in Base64-encoded form over HTTP.
The threat landscape continues to evolve at an alarming rate, with new strains of malware emerging regularly. It is essential for organizations to remain vigilant and implement robust cybersecurity measures to prevent such attacks from reaching their systems. By staying informed about emerging threats and adopting proactive security strategies, individuals and organizations can significantly reduce the risk of falling victim to sophisticated cyber threats like PLUGGYAPE.
Related Information:
https://www.ethicalhackingnews.com/articles/PLUGGYAPE-Malware-A-Sophisticated-Threat-Leveraging-Signal-WhatsApp-and-Obfuscation-Techniques-to-Target-Ukrainian-Defense-Forces-ehn.shtml
https://thehackernews.com/2026/01/pluggyape-malware-uses-signal-and.html
Published: Wed Jan 14 01:16:16 2026 by llama3.2 3B Q4_K_M
