Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a series of new cyberattacks targeting its defense forces and state institutions. These attacks, which took place between October and December 2025, involve various intrusion techniques and several malware families, including one known as PLUGGYAPE.
PLUGGYAPE attacks attributed to Void Blizzard
Among the most notable attacks are those distributing the PLUGGYAPE malware, attributed with “medium confidence” to the Russian hacking group Void Blizzard (also known as Laundry Bear or UAC-0190), active since at least April 2024.
Attack Chain and Vectors
- Initial vectors: Attackers use instant messaging applications such as Signal and WhatsApp to contact their targets.
- Social engineering: They disguise themselves as charities to trick victims into clicking on seemingly harmless links.
- Fake websites: Links direct to domains that impersonate aid foundations, such as “harthulp-ua[.]com” or “solidarity-help[.]org”.
- Malware Download: Upon clicking, victims download a password-protected compressed file containing an executable created with PyInstaller, which deploys PLUGGYAPE.
PLUGGYAPE Malware
PLUGGYAPE is a backdoor written in Python. The CERT-UA has observed that its successive iterations incorporate obfuscation and anti-analysis checks to prevent its execution in virtual environments.
- C2 Communication: Establishes communication with a remote server using WebSocket or Message Queuing Telemetry Transport (MQTT). Support for MQTT was added in December 2025.
- Resiliency: Command and control (C2) addresses are not directly encoded in the malware, but are retrieved from external pasting services such as rentry[.]co and pastebin[.]com, where they are stored base64 encoded. This allows attackers to update C2 servers in real time if the original infrastructure is detected or removed, improving their operational security and resilience.
Sophistication of Attacks
The CERT-UA highlights a growing sophistication in the initial interaction with the objectives:
- Use of legitimate accounts and phone numbers of Ukrainian mobile operators.
- Communication in Ukrainian language, including audio and video.
- Attackers demonstrate detailed and relevant knowledge about the individual, the organization and its operations.
- Widely used messengers are becoming the most common channel for the delivery of cyber threat tools.
Other Threat Clusters
In addition to Void Blizzard, CERT-UA has revealed activities of other threat groups:
UAC-0239
- Vectors: Phishing emails sent from UKR[.]net and Gmail addresses, containing links to or directly attaching a VHD file.
- Malware:
- FILEMESS: A Go-based stealer that collects files with specific extensions and exfiltrates them to Telegram.
- OrcaC2: An open source C2 framework that allows system manipulation, file transfer, keylogging and remote command execution.
- Targets: Ukrainian defense forces and local governments.
UAC-0241
- Vectors: spear-phishing campaigns that use ZIP files containing a Windows Shortcut (LNK) file.
- Execution: Opening the LNK file triggers the execution of an HTML application (HTA) using “mshta.exe”. The HTA payload launches JavaScript to download and execute a PowerShell script.
- Malware:
- LaZagne: An open source tool used to recover stored passwords.
- GAMYBEAR: A Go-based backdoor that can receive and execute incoming commands from a server, transmitting the results back in Base64 format over HTTP.
- Objectives: Educational institutions and state authorities in Ukraine.
Conclusion
The CERT-UA revelations underscore the persistence and evolution of cyberattacks against Ukraine, characterized by the sophistication of social engineering, the use of legitimate infrastructure, and the adaptation of various malware tools. Attribution to Russian hacking groups and the diversity of payloads (from custom backdoors like PLUGGYAPE to stealers and open source C2 frameworks) demonstrate a complex and dynamic threat landscape that requires constant vigilance and robust response capabilities from Ukraine’s defense forces and critical institutions. Detailed information on the TTPs (Tactics, Techniques and Procedures) of these actors is crucial to strengthening defenses and threat intelligence.
References
- Malicious domains: harthulp-ua[.]com, solidarity-help[.]org
- Paste services for C2: rentry[.]co, pastebin[.]com