The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a series of cyberattacks targeting defense forces using a Python-based malware dubbed PLUGGYAPE. Attributed to the Russian threat group Void Blizzard (UAC-0190), the campaign utilizes instant messaging platforms Signal and WhatsApp to deliver phishing links. These links impersonate charity foundations and lead to the download of password-protected archives containing PyInstaller-based executables.
Technically, PLUGGYAPE is a backdoor capable of executing arbitrary code via WebSocket or MQTT protocols. To maintain operational security, the malware retrieves its command-and-control (C2) addresses from external paste services like Pastebin and Rentry rather than using hard-coded domains. CERT-UA also warned of concurrent campaigns by other threat clusters, such as UAC-0239 and UAC-0241, which utilize a variety of tools including the FILEMESS stealer and the GAMYBEAR backdoor for espionage and data exfiltration.
Top comments (0)