CERT-UA reported PLUGGYAPE malware attacks on Ukraine’s defense forces, linked with medium confidence to Russia’s Void Blizzard group.
The Computer Emergency Response Team of Ukraine (CERT-UA) reported new cyberattacks against Ukraine’s defense forces using PLUGGYAPE malware. Government experts attributed the attack with medium confidence to the Russian-linked group Void Blizzard (aka Laundry Bear, UAC-0190), active since 2024.
The attack chain starts with social engineering. Attackers contact targets through instant messaging apps and convince them to visit a fake website posing as a charitable foundation. The site encourages victims to download supposed “documents,” which are actually malicious executable files.
These files often arrive inside password-protected archives or are sent directly via chat, using misleading extensions such as “.docx.pif” to appear harmless.
When opened, the file runs a Python-based program packaged with PyInstaller. This program installs the PLUGGYAPE backdoor, giving attackers remote access to the infected system.
“The PIF file in question, in at least five campaigns, is an executable created using PyInstaller. The underlying software code is developed using the Python programming language and is classified as a PLUGGYAPE backdoor.” reads the CERT-UA’s report. “Note that in October 2025, attackers used a file with the extension “.pdf.exe”, which launched a loader whose purpose was to download a Python interpreter and (from the Pastebin resource) a Python file of an early version of PLUGGYAPE.”
Later versions became more advanced. The updated PLUGGYAPE variant uses the MQTT protocol for communication and includes anti-analysis checks, such as detecting virtual machines. In some cases, command-and-control server details are hidden and retrieved from public sites like Pastebin or rentry.co, often encoded to evade detection.
From December 2025, attackers deployed an obfuscated PLUGGYAPE.V2 variant using MQTT for communication and anti-analysis checks, hiding C2 server details on public sites in encoded form.
PLUGGYAPE is a Python-based tool that connects to a command server via WebSockets or MQTT and exchanges data in JSON format. It collects system identifiers to generate a unique device ID using SHA-256, executes code received from the server, and maintains persistence by adding itself to the system’s Run registry key.
“CERT-UA emphasizes that the cyberthreat landscape is constantly evolving. In particular, increasingly, the initial interaction with the object of a cyberattack is carried out using legitimate accounts, phone numbers of Ukrainian mobile operators, while the Ukrainian language, audio and video communication are used, and the attacker can demonstrate detailed and relevant knowledge about the person, organization and features of its functioning.” concludes the report. “Widely used instant messengers available on mobile devices and personal computers are de facto becoming the most common delivery channel for software tools for implementing cyberthreats.”
In May, Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) linked a previously undetected Russia-linked group, tracked Laundry Bear (aka Void Blizzard), to a 2024 police breach. In October 2024, the Dutch police blamed a state actor for a September 2024 data breach that exposed officers’ contact details, the justice minister told lawmakers.
The police reported the security breach to the Data Protection Authority. Threat actors broke into a police system and gained access to work-related contact details of multiple officers. The attackers had access to names, emails, phone numbers, and some private information belonging to police officers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, malware)
