PLUGGYAPE is a sophisticated malware campaign disclosed by CERT-UA targeting Ukrainian defense forces between October and December 2025. The malware is attributed with medium confidence to the Russian hacking group Void Blizzard (aka Laundry Bear or UAC-0190), active since at least April 2024. Attackers distribute PLUGGYAPE via instant messaging platforms Signal and WhatsApp, exploiting social engineering by impersonating charity organizations with domains like harthulp-ua[.]com and solidarity-help[.]org. Victims receive password-protected archives containing PyInstaller-packaged executables that deploy the malware. PLUGGYAPE is written in Python and establishes communication with remote command-and-control (C2) servers using WebSocket and MQTT protocols, with MQTT support added in December 2025. Instead of hardcoding C2 addresses, the malware retrieves them dynamically from external paste services such as rentry[.]co and pastebin[.]com, encoded in base64, enhancing attacker operational security and resilience. The malware supports remote code execution, allowing operators to run arbitrary commands on infected hosts. It incorporates obfuscation and anti-analysis checks to detect virtual environments and evade sandboxing. The initial infection vector leverages legitimate Ukrainian mobile operator accounts and uses the Ukrainian language, audio, and video to increase credibility. This campaign is part of a broader set of cyber espionage activities targeting Ukrainian defense, government, educational institutions, and local authorities, involving other malware families like FILEMESS, OrcaC2, LaZagne, and GAMYBEAR. The use of widely adopted messaging platforms as delivery vectors highlights the evolving threat landscape where mobile and desktop messengers become common channels for malware distribution.

For European organizations, the direct impact of PLUGGYAPE is primarily on Ukrainian defense forces; however, the tactics and infrastructure used pose broader risks. European entities involved in defense cooperation, intelligence sharing, or humanitarian support to Ukraine could be targeted by similar campaigns or collateral damage. The use of popular messaging platforms like Signal and WhatsApp as infection vectors demonstrates a shift in attack surfaces that European organizations must consider, especially those with personnel communicating with Ukrainian contacts. The malware’s ability to execute arbitrary code remotely threatens confidentiality, integrity, and availability of affected systems, potentially leading to espionage, data theft, or disruption of critical operations. The dynamic retrieval of C2 servers from public paste sites complicates detection and takedown efforts, increasing persistence and operational resilience. The campaign’s use of social engineering tailored to Ukrainian language and context suggests high targeting precision, which could be adapted to European targets with geopolitical relevance. Overall, the threat underscores the need for vigilance against sophisticated, multi-vector cyber espionage campaigns in the European geopolitical context.

1. Implement advanced monitoring and filtering on messaging platforms (Signal, WhatsApp) used within the organization, including blocking suspicious links and archives from unverified sources. 2. Conduct targeted user awareness training emphasizing the risks of social engineering via messaging apps, especially regarding unexpected password-protected archives and links impersonating charities or trusted organizations. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting PyInstaller-packaged executables and unusual WebSocket or MQTT communications. 4. Monitor network traffic for connections to known paste services (rentry.co, pastebin.com) and analyze base64-encoded data retrieval patterns indicative of dynamic C2 resolution. 5. Employ sandboxing environments with enhanced anti-evasion capabilities to analyze suspicious files, considering PLUGGYAPE’s anti-virtualization checks. 6. Segment critical defense and sensitive systems to limit lateral movement in case of compromise. 7. Collaborate with national CERTs and intelligence agencies to share indicators of compromise and threat intelligence related to Void Blizzard and associated campaigns. 8. Regularly update and patch messaging clients and underlying operating systems to reduce exploitation vectors. 9. Use multi-factor authentication and strict access controls on systems handling sensitive defense-related information. 10. Establish incident response plans tailored to espionage and advanced persistent threat scenarios involving messaging platform vectors.