The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025.
The activity has been attributed with medium confidence to a Russian hacking group tracked as Void Blizzard (aka Laundry Bear or UAC-0190). The threat actor is believed to be active since at least April 2024.
Attack chains distributing the malware leverage instant messaging Signal and WhatsApp as vectors, with the threat actors masquerading as charity organizations to convince targets into clicking on a seemingly-harmless link (“harthulp-ua[.]com” or “solidarity-help[.]org”) impersonating the foundation and download a password-protected archive.
The archives contain an executable created with PyInstaller that ultimately led to the deployment of PLUGGYAPE. CERT-UA said successive iterations of the backdoor have added obfuscation and anti-analysis checks to prevent the artifacts from being executed in a virtual environment.
Written in Python, PLUGGYAPE establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT), allowing the operators to execute arbitrary code on compromised hosts. Support for communication using the MQTT protocol was added in December 2025.
In addition, the command-and-control (C2) addresses are retrieved from external paste services such as rentry[.]co and pastebin[.]com, where they are stored in base64-encoded form, as opposed to directly hard-coding the domain in the malware itself. This gives attackers the ability to maintain operational security and resilience, allowing them to update the C2 servers in real-time in scenarios where the original infrastructure is detected and taken down.
“Initial interaction with the target of a cyber attack is increasingly carried out using legitimate accounts and phone numbers of Ukrainian mobile operators, with the use of the Ukrainian language, audio and video communication, and the attacker may demonstrate detailed and relevant knowledge about the individual, organization, and its operations,” CERT-UA said.
In recent months, the cybersecurity agency has also revealed that a threat cluster tracked as UAC-0239 sent phishing emails from UKR[.]net and Gmail addresses containing links to a VHD file (or directly as an attachment) that paves the way for a Go-based stealer named FILEMESS that collects files matching certain extensions and exfiltrates them to Telegram.
Also dropped is an open-source C2 framework called OrcaC2 that enables system manipulation, file transfer, keylogging, and remote command execution. The activity is said to have targeted Ukrainian defense forces and local governments.
Educational institutions and state authorities in Ukraine have also been at the receiving end of another spear-phishing campaign orchestrated by UAC-0241 that leverages ZIP archives containing a Windows shortcut (LNK) file, opening which triggers the execution of an HTML Application (HTA) using “mshta.exe.”
The HTA payload, in turn, launches JavaScript code to fetch and execute the Quasar RAT.
CERT-UA has also warned of a new data wiper called SDeleteWiper that overwrites data on disk, while also cautioning about APT28’s (aka Fancy Bear) continued exploitation of a now-patched Microsoft Outlook security flaw (CVE-2023-23397) to compromise Exchange servers.
“According to available data, the identified malicious activity may be related to the activities of the Russian hacker group APT28 in Ukraine, as well as to the activities of other groups controlled by the intelligence services of the Russian Federation,” the agency said in an advisory.
The advisory arrives as Mandiant disclosed a new espionage campaign by UNC5310, a threat actor with suspected ties to China, that made use of a custom backdoor dubbed AIRDRY to target government entities in Southeast Asia as early as mid-2022.
“UNC5310 has constructed and deployed AIRDRY with deliberate attention to operating stealthily on compromised systems, leveraging anti-forensic tradecraft, and making use of cloud infrastructure for command and control,” the Google-owned firm said.
The disclosure also follows recent reports about North Korean hackers leveraging a novel backdoor called CROWDEDFLOUNDER in attacks targeting organizations in South Korea.
