Between October and December 2025, officials within Ukraine's Defense Forces were targeted in a cyberespionage campaign delivering a backdoor known as PluggyApe. Attributed with medium confidence to the Russian-aligned threat group Void Blizzard (also known as Laundry Bear), the attacks leveraged social engineering lures centered around charitable foundations. Victims were contacted via Signal or WhatsApp and encouraged to download malicious archives allegedly containing documents of interest.
The technical execution of the campaign involved PyInstaller-bundled loaders, transitioning from executable PDF extensions to PIF files for increased effectiveness. The updated PluggyApe version 2 features enhanced obfuscation, MQTT-based communication for command-and-control, and sophisticated anti-analysis checks. To maintain operational flexibility, the malware fetches base64-encoded C2 addresses from external platforms like Pastebin and Rentry rather than relying on hardcoded entries.
Top comments (0)