Threat actors have launched a sophisticated charity-themed malware campaign targeting Ukraine’s Defense Forces, exploiting the goodwill surrounding humanitarian aid to deploy malicious software. Operating between October and December 2025, the cybercriminals distributed PLUGGYAPE, a Python-based backdoor designed to compromise military personnel and gain access to sensitive information. This campaign highlights the evolving tactics of malicious actors who increasingly blend social engineering with legitimate-seeming charitable narratives to penetrate secure defense networks.
The initial infection vector relies on convincing targets to visit fraudulent charity foundation websites, often through direct messages on instant messaging platforms. Upon landing on these fake sites, victims are prompted to download what appear to be legitimate documents. However, these files are actually executable programs, frequently disguised with double extensions like .docx.pif or .pdf.exe to evade detection. To further bypass security measures, these malicious files are often packaged within password-protected archives, making them appear as innocuous document transfers.
Infection Mechanism and Command Infrastructure
CERT-UA analysts identified the malware, tracking the threat group as UAC-0190 and attributing it with medium confidence to an alias known as Void Blizzard. Researchers noted the attackers’ advanced understanding of their targets, evidenced by their use of legitimate Ukrainian mobile operator accounts and phone numbers, and their communication in Ukrainian via popular messaging applications.
The PLUGGYAPE backdoor employs a robust persistence mechanism to ensure long-term access to compromised systems. Upon execution, the malware generates a unique device identifier by gathering system information such as the MAC address, BIOS serial number, disk ID, and processor ID. This data is then encrypted using SHA-256, with the initial sixteen bytes forming the device fingerprint. Subsequently, the backdoor establishes a registry entry within the Windows Run branch, ensuring automatic execution whenever the infected system restarts. This persistence technique is critical, as military personnel may be offline for extended periods, making manual reactivation impractical.
Communication between the compromised systems and command servers is managed through web sockets or MQTT protocols, with all data transmitted in JSON format. Initial variants of PLUGGYAPE connected directly to hardcoded IP addresses embedded within the malware’s code. However, the operators later advanced their infrastructure to conceal these addresses on public paste services like Pastebin and Rentry, using Base64 encoding. By December 2025, an enhanced version, designated PLUGGYAPE.V2, surfaced. This updated iteration incorporated more sophisticated obfuscation layers and additional checks to detect virtual machine environments, demonstrating the attackers’ ongoing efforts to maintain operational effectiveness against tightening cybersecurity measures.
The use of disguised executable files and fake charity websites to distribute malware, particularly against defense forces, underscores a concerning trend in cyber warfare and espionage. Such tactics leverage human trust and the need for information dissemination, making them particularly effective against busy operational environments. The evolution of PLUGGYAPE, with its advanced persistence and evasion techniques, indicates a persistent and adaptive threat actor group focused on gaining sustained access to critical national defense infrastructure. The ongoing analysis by cyber security agencies like CERT-UA is crucial in understanding and mitigating these evolving threats, with potential for further development in the malware’s capabilities and targeting strategies.