Ukraine's military targeted in a new charity-themed malware campaign

Between October and December 2025, a charity-themed campaign targeted officials of Ukraine's Defense Forces, deploying backdoor malware known as PluggyApe.

According to a report by Ukraine's CERT, these attacks were probably initiated by the Russian threat group referred to as 'Void Blizzard' and 'Laundry Bear,' although the attribution is made with medium confidence.

Laundry Bear is the same group that breached the Dutch police's internal systems in 2024, stealing sensitive officer information.

This group is recognized for targeting NATO member states in attacks that align with Russian interests, aiming to steal files and emails.

CERT-UA observed that the attacks begin with instant messages sent via Signal or WhatsApp, instructing recipients to visit a website purportedly run by a charitable foundation and download a password-protected archive supposedly containing documents of interest.

Ukraine's military targeted in a new charity-themed malware campaign

Rather, the archives include executable PIF files (.docx.pif) and PluggyApe payloads, which are occasionally sent directly via the messaging app.

Nonetheless, the harmful PIF file is an executable crafted using the PyInstaller open-source tool, which packages Python applications into a single bundle containing all necessary dependencies.

In previous PluggyApe attacks, the attackers utilized the ".pdf.exe" extension for the loader. However, beginning in December 2025, they transitioned to using PIF and PluggyApe version 2, which includes improved obfuscation, MQTT-based communication, and additional anti-analysis measures.

The Ukrainian agency also notes that PluggyApe retrieves its command-and-control (C2) addresses from external sources like rentry.co and pastebin.com, where they are shared in base64-encoded form, instead of relying on less-flexible hardcoded entries.

CERT-UA cautions that mobile devices have become key targets in such attacks, as they are typically poorly secured and monitored.

When combined with thorough attack planning, such as utilizing compromised accounts or phone numbers from Ukrainian telecom operators, the attacks can appear highly convincing.

"The initial interaction with a cyberattack target is increasingly conducted using legitimate accounts, phone numbers of Ukrainian mobile operators, and the Ukrainian language, including audio and video communication," explains CERT-UA.

"The attacker might display detailed and relevant knowledge about the individual, the organization, and the specifics of its operations."

A comprehensive list of indicators of compromise (IoCs), including fraudulent websites masquerading as charity portals, is available at the end of CERT-UA's report.