In late 2025, Ukrainian cybersecurity authorities uncovered a new malware campaign that targeted members of Ukraine’s defense forces. The attackers used trusted messaging platforms like Signal and WhatsApp to spread the infection. This made the attack more dangerous because victims did not expect threats from these secure apps. The campaign was active between October and December 2025.
The operation was officially reported by CERT-UA, Ukraine’s national computer emergency response team. According to their findings, the attackers focused on individuals connected to military and defense units. The goal was long-term access rather than immediate damage. This shows the attack was planned carefully and targeted with intent.
Attackers sent convincing messages that appeared to be related to charity work or humanitarian aid. These messages were written in a natural tone and often matched the local language and context. Victims were asked to download documents or archives that looked harmless. In reality, these files contained the malicious PLUGGYAPE malware.
Once opened, the malware installed a hidden backdoor on Windows systems. This allowed attackers to remotely control infected devices without the victim noticing. The malware was built using Python and disguised as legitimate software. After infection, it connected to external servers controlled by the attackers.
PLUGGYAPE allowed threat actors to steal files, run commands, and monitor activity on compromised systems. The malware used password-protected archives to avoid detection by security tools. It also avoided hard-coding server addresses, making it harder to block. These techniques increased the malware’s effectiveness and lifespan.
Cybersecurity researchers linked this campaign to a Russia-aligned hacking group tracked as Void Blizzard or Laundry Bear. The attribution was made with medium confidence, meaning it is likely but not fully confirmed. This group has previously targeted government and defense organizations. Their methods suggest experience and access to resources.
Researchers observed that newer versions of PLUGGYAPE were more advanced than earlier ones. The malware was updated to resist analysis and avoid detection in virtual environments. These changes indicate that the attackers actively improved the tool during the campaign. This evolution made the threat harder to track and stop.
Experts warn that this attack highlights a growing trend of abusing trusted communication platforms. Messaging apps are now being used as delivery channels for malware instead of email. Authorities urge users to verify unexpected files or requests through another channel. Staying cautious remains the strongest defense against such attacks.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
