Overview
- CERT-UA disclosed that between October and December 2025, Ukrainian defense personnel were lured over Signal and WhatsApp to download password-protected archives from fake charity sites or receive payloads directly in chat.
- The archives delivered PyInstaller-built executables that installed the Python-based PluggyApe backdoor, with early waves using ".pdf.exe" loaders and later waves switching to deceptive ".docx.pif" files.
- PluggyApe profiles infected hosts, generates a unique victim identifier, awaits remote code execution commands, and persists by modifying Windows Registry Run keys.
- From December 2025, operators deployed PluggyApe v2 with stronger obfuscation, added anti-analysis checks, enabled MQTT communications alongside WebSocket, and fetched C2 details from rentry.co or Pastebin in base64 to allow rapid rotation.
- CERT-UA reports medium-confidence attribution to the Russian-linked Void Blizzard/Laundry Bear group, has published IoCs and fake-site indicators, and warns that attackers leverage legitimate accounts, Ukrainian-language audio or video, with mobile devices described as prime targets.