Ukraine’s Military Under Attack: Cybercriminals Launch Charity-themed Malware Campaign

Ukraine’s Defense Forces Targeted in Charity-Themed Malware Campaign

In a recent report by Ukraine’s CERT, it was revealed that officials of Ukraine’s Defense Forces were the targets of a sophisticated charity-themed malware campaign that took place between October and December 2025. The campaign involved the distribution of a backdoor malware known as PluggyApe.

The attacks, which were believed to be orchestrated by the Russian threat group ‘Void Blizzard’ and ‘Laundry Bear’, had medium confidence in attribution according to the report. Laundry Bear, the same group responsible for breaching the Dutch police’s internal systems in 2024, has a history of targeting NATO member states aligned with Russian interests to steal sensitive information.

The modus operandi of the attackers involved sending instant messages via platforms like Signal or WhatsApp to the victims, directing them to visit a website supposedly operated by a charitable foundation. The victims were then encouraged to download a password-protected archive containing documents of interest, which in reality, contained malicious executable PIF files and PluggyApe payloads.

The PluggyApe malware, a backdoor that profiles the host and sends information to the attackers, achieves persistence through Windows Registry modification. In a shift from previous attacks, the threat actors began using PIF files and an updated version of PluggyApe in December 2025, featuring enhanced obfuscation and communication methods.

CERT-UA also highlighted that PluggyApe retrieves its command-and-control (C2) addresses from external sources like reentry.co and pastebin.com, published in base64-encoded form for flexibility.

Mobile devices have become prime targets for such attacks due to their inadequate protection, with attackers leveraging compromised accounts and Ukrainian phone numbers for increased authenticity. CERT-UA emphasized the use of legitimate accounts, Ukrainian language, and detailed knowledge about the target to enhance the effectiveness of the attacks.

The report includes a comprehensive list of indicators of compromise (IoCs), including deceptive websites posing as charity portals, to assist in identifying and mitigating potential threats.