Cybersecurity

Ukraine's Army Targeted In New Charity-themed Malware Campaign

2026-01-13 0 views admin
Ukraine's Army Targeted In New Charity-themed Malware Campaign

Officials of Ukraine's Defense Forces were targeted in a charity-themed campaign between October and December 2025 that delivered backdoor malware called PluggyApe.

Ukraine's CERT says in a report that the attacks were likely launched by the Russian threat group known as 'Void Blizzard' and 'Laundry Bear', although there is medium confidence in attribution.

Laundry Bear is the same threat group responsible for breaching the Dutch police's internal systems in 2024 and stealing sensitive information about officers.

The hackers are known for focusing on NATO member states in attacks aligned with Russian interests that steal files and emails.

The attacks observed by CERT-UA begin with instant messages over Signal or WhatsApp telling recipients to visit a website allegedly operated by a charitable foundation, and download a password-protected archive supposedly containing documents of interest.

Instead, the archives contain executable PIF files (.docx.pif) and the PluggyApe payloads, which are sometimes sent directly through the messaging app.

However, the malicious PIF file is an executable created using the PyInstaller open-source tool for bundling Python applications into a single package that contains all required dependencies.

PluggyApe is a backdoor that profiles the host, sends information to the attackers, including a unique victim identifier, and then waits for code execution commands. It achieves persistence via Windows Registry modification.

In earlier attacks with PluggyApe, the threat actors used the ".pdf.exe" extension for the loader. Starting in December 2025, they switched to PIF and PluggyApe version 2, which features better obfuscation, MQTT-based communication, and more anti-analysis checks.

The Ukrainian agency also reports that PluggyApe fetches its command-and-control (C2) addresses from external sources such as rentry.co and pastebin.com, where they are published in base64-encoded form, rather than using less-flexible hardcoded entries.

Source: BleepingComputer

🏷️ Tags

hackbreachmalwareattackthreat

More from Cybersecurity

Update: Ciso Succession Crisis Highlights How Turnover Amplifies Security...

Update: Ciso Succession Crisis Highlights How Turnover Amplifies Security...

2026-01-13 0
Update: New Voidlink Malware Framework Targets Linux Cloud Servers 2026

Update: New Voidlink Malware Framework Targets Linux Cloud Servers 2026

2026-01-13 0
Critical 'most Severe AI Vulnerability To Date' Hits Servicenow (2026)

Critical 'most Severe AI Vulnerability To Date' Hits Servicenow (2026)

2026-01-13 0
Maine Healthcare Breach Exposed Data Of Over 145,000 People Central

Maine Healthcare Breach Exposed Data Of Over 145,000 People Central

2026-01-13 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views