PLUGGYAPE Malware Uses Signal and WhatsApp to Target Ukrainian Defense Forces
Jan 14, 2026Ravie LakshmananCyber Espionage / Threat Intelligence The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025.
The activity has been attributed with medium confidence to a Russian hacking group tracked as Void Blizzard (aka Laundry Bear or UAC-0190). The threat actor is believed to be active since at least April 2024.
Attack chains distributing the malware leverage instant messaging Signal and WhatsApp as vectors, with the threat actors masquerading as charity organizations to convince targets into clicking on a seemingly-harmless link (“harthulp-ua[.]com” or “solidarity-help[.]org”) impersonating the foundation and download a password-protected archive.
The archives contain an executable created with PyInstaller that ultimately led to the deployment of PLUGGYAPE. CERT-UA said successive iterations of the backdoor have added obfuscation and anti-analysis checks to prevent the artifacts from being executed in a virtual environment.
Written in Python, PLUGGYAPE establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT), allowing the operators to execute arbitrary code on compromised hosts. Support for communication using the MQTT protocol was added in December 2025.
In addition, the command-and-control (C2) addresses are retrieved from external paste services such as rentry[.]co and pastebin[.]com, where they are stored in base64-encoded form, as opposed to directly hard-coding the domain in the malware itself. This gives attackers the ability to maintain operational security and resilience, allowing them to update the C2 servers in real-time in scenarios where the original infrastructure is detected and taken down.
“Initial interaction with the target of a cyber attack is increasingly carried out using legitimate accounts and phone numbers of Ukrainian mobile operators, with the use of the Ukrainian language, audio and video communication, and the attacker may demonstrate detailed and relevant knowledge about the individual, organization, and its operations,” CERT-UA said.
“Widely used messengers available on mobile devices and personal computers are de facto becoming the most common channel for delivering software tools for cyber threats.”
In recent months, the cybersecurity agency has also revealed that a threat cluster tracked as UAC-0239 sent phishing emails from UKR[.]net and Gmail addresses containing links to a VHD file (or directly as an attachment) that paves the way for a Go-based stealer named FILEMESS that collects files matching certain extensions and exfiltrates them to Telegram.
Also dropped is an open-source C2 framework called OrcaC2 that enables system manipulation, file transfer, keylogging, and remote command execution. The activity is said to have targeted Ukrainian defense forces and local governments.
Educational institutions and state authorities in Ukraine have also been at the receiving end of another spear-phishing campaign orchestrated by UAC-0241 that leverages ZIP archives containing a Windows shortcut (LNK) file, opening which triggers the execution of an HTML Application (HTA) using “mshta.exe.”
The HTA payload, in turn, launches JavaScript designed to download and execute a PowerShell script, which then delivers an open-source tool called LaZagne to recover stored passwords and a Go backdoor codenamed GAMYBEAR that can receive and execute incoming commands from a server and transmit the results back in Base64-encoded form over HTTP.
