Executive Summary

The emergence of the PLUGGYAPE malware campaign marks a significant escalation in the use of instant messaging platforms as vectors for advanced cyber-espionage. Between October and December 2025, Ukrainian Defense Forces were specifically targeted by a sophisticated operation attributed to the Russian APT group Void Blizzard (also known as Laundry Bear or UAC-0190). Attackers exploited the trust and ubiquity of Signal and WhatsApp to deliver malicious payloads, leveraging social engineering tactics that mimicked legitimate charity organizations. The campaign’s technical sophistication, including dynamic command-and-control (C2) infrastructure and anti-analysis features, underscores the evolving threat landscape facing both military and civilian sectors in Ukraine. This report provides a comprehensive technical analysis of the PLUGGYAPE malware, its tactics, techniques, and procedures (TTPs), observed exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The campaign is attributed to Void Blizzard, a Russian state-aligned advanced persistent threat (APT) group with a history of targeting Ukrainian governmental, military, and critical infrastructure entities. Void Blizzard is known for its operational agility, rapid adoption of new delivery vectors, and the use of multi-stage malware frameworks. The group’s previous campaigns have included the deployment of custom stealers, backdoors, and the exploitation of both traditional email and emerging communication platforms. In this instance, Void Blizzard demonstrated a nuanced understanding of Ukrainian defense operations, employing native language, local phone numbers, and personalized lures to maximize the likelihood of successful compromise.

Technical Analysis of Malware/TTPs

The PLUGGYAPE malware is a Python-based remote access trojan (RAT) distributed as a PyInstaller-packed executable. The initial infection vector involves highly targeted social engineering via Signal and WhatsApp, where attackers impersonate charity organizations and send malicious URLs to defense personnel. These URLs, such as harthulp-ua[.]com and solidarity-help[.]org, lead to password-protected archives containing the malware payload. The use of password protection is a deliberate tactic to evade automated scanning and detection by email and endpoint security solutions.

Upon execution, PLUGGYAPE performs several anti-analysis and anti-virtualization checks to thwart forensic investigation. The malware’s C2 communication is notably advanced: rather than hardcoding C2 addresses, it retrieves them dynamically from external paste services like rentry[.]co and pastebin[.]com, with the addresses encoded in base64. This approach allows the threat actor to rapidly rotate infrastructure and maintain operational continuity even if specific C2 nodes are taken down.

The malware supports both WebSocket and, in its latest variants, MQTT protocols for C2 communication, enabling low-latency, bidirectional command execution. Core capabilities include arbitrary code execution, file exfiltration, and the ability to update or uninstall itself on demand. The modular design and dynamic C2 retrieval make PLUGGYAPE highly resilient and difficult to eradicate.

Exploitation in the Wild

The campaign has been observed primarily targeting Ukrainian Defense Forces, with secondary targeting of local government bodies and educational institutions. Attackers initiate contact using Ukrainian mobile numbers and conduct conversations in flawless Ukrainian, often engaging in audio or video calls to build trust. The delivery of password-protected archives via instant messaging platforms is a strategic choice, as it bypasses many traditional email security controls and leverages the perceived legitimacy of real-time communication.

Once the victim executes the payload, the malware establishes persistence and begins beaconing to its dynamically assigned C2 infrastructure. The attackers can then issue commands, exfiltrate sensitive documents, and pivot within the victim’s network. The use of instant messaging as a delivery vector represents a significant evolution in TTPs, reflecting the increasing security awareness around email-based phishing and the need for defenders to monitor a broader range of communication channels.

Victimology and Targeting

The primary victims of the PLUGGYAPE campaign are members of the Ukrainian Defense Forces, including both frontline personnel and administrative staff. Secondary victims include local government officials and employees of educational institutions, suggesting an intent to gather intelligence across multiple facets of Ukrainian civil and military infrastructure. The attackers’ use of personalized lures, local language, and real-time communication indicates a high degree of reconnaissance and targeting precision. There is no evidence to suggest that vulnerabilities in Signal or WhatsApp themselves were exploited; rather, these platforms served as trusted channels for social engineering and payload delivery.

Mitigation and Countermeasures

Organizations should implement a multi-layered defense strategy to mitigate the risk posed by PLUGGYAPE and similar campaigns. Key recommendations include blocking access to known malicious domains such as harthulp-ua[.]com and solidarity-help[.]org, and monitoring for outbound connections to paste services and suspicious WebSocket or MQTT traffic. Security teams should educate personnel about the risks of social engineering via instant messaging apps, emphasizing the importance of verifying the identity of unknown contacts and refraining from opening password-protected archives from untrusted sources.

Endpoint detection and response (EDR) solutions should be configured to hunt for PyInstaller-packed executables and monitor for the execution of Python-based binaries, especially those originating from user directories or temporary folders. Network security controls should be updated to detect and alert on anomalous traffic patterns associated with dynamic C2 infrastructure, including the retrieval of base64-encoded addresses from paste services. Regular threat intelligence updates and collaboration with national CERTs are essential to stay ahead of rapidly evolving TTPs.

References

The technical details and threat intelligence in this report are based on open-source reporting from The Hacker News (https://thehackernews.com/2026/01/pluggyape-malware-uses-signal-and.html), CERT-UA (https://cert.gov.ua/), BleepingComputer (https://www.bleepingcomputer.com/news/security/ukraines-army-targeted-in-new-charity-themed-malware-campaign/), LinkedIn (https://www.linkedin.com/posts/thehackernews_ukraines-cert-reports-pluggyape-malware-activity-7417081006815383552-CEg3), and X/Twitter (https://x.com/TheHackersNews/status/2011315167267783104).

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify emerging threats and respond with agility. For further information or to discuss how Rescana can support your organization’s cyber defense strategy, we are happy to answer questions at ops@rescana.com.