Officials of Ukraine's Defense Forces were targeted in a charity-themed campaign between October and December 2025 that delivered backdoor malware called PluggyApe.
Ukraine's CERT says in a report that the attacks were likely launched by the Russian threat group known as 'Void Blizzard' and 'Laundry Bear', although there is medium confidence in attribution.
Laundry Bear is the same threat group responsible for breaching the Dutch police's internal systems in 2024 and stealing sensitive information about officers.
The hackers are known for focusing on NATO member states in attacks aligned with Russian interests that steal files and emails.
The attacks observed by CERT-UA begin with instant messages over Signal or WhatsApp telling recipients to visit a website allegedly operated by a charitable foundation, and download a password-protected archive supposedly containing documents of interest.
Malicious message lures
Source: CERT-UA
Instead, the archives contain executable PIF files (.docx.pif) and the PluggyApe payloads, which are sometimes sent directly through the messaging app.
However, the malicious PIF file is an executable created using the PyInstaller open-source tool for bundling Python applications into a single package that contains all required dependencies.
Fake charity website
... continue reading