Threat Actors Target Ukraine Defense with Charity Malware Campaign

Under the guise of charity operations, threat actors have deployed a sophisticated malware campaign targeting members of Ukraine’s Defense Forces.

Operating between October and December 2025, the attackers distributed PLUGGYAPE, a Python-based backdoor designed to compromise military personnel.

The campaign demonstrates how cybercriminals increasingly leverage social engineering combined with legitimate-sounding charitable narratives to penetrate highly secured defense networks.

The initial infection chain relies on convincing targets to visit fake charity foundation websites through messages sent via instant messengers.

Once victims land on these fraudulent pages, they are prompted to download what appear to be legitimate documents.

However, these files are actually executable programs, often disguised with double extensions such as .docx.pif or .pdf.exe and placed within password-protected archives to bypass detection systems.

This approach proves effective because the visual presentation mimics authentic documents that military personnel would routinely handle.

CERT-UA analysts identified the malware after careful investigation of the campaign’s technical characteristics.

Researchers noted that the threat group, tracked as UAC-0190 and known by the alias Void Blizzard, maintains medium confidence attribution.

The attackers demonstrate sophisticated understanding of their targets, using legitimate Ukrainian mobile operator accounts and phone numbers while communicating in Ukrainian through popular messaging applications.

Infection Mechanism and Command Infrastructure

The malware operates through a well-engineered persistence mechanism that ensures long-term access to compromised systems.

When executed, PLUGGYAPE generates a unique device identifier by collecting basic computer information including MAC address, BIOS serial number, disk ID, and processor ID.

This data is processed through SHA-256 encryption, with only the first sixteen bytes used as the device fingerprint. The backdoor then creates a registry entry in the Windows Run branch, guaranteeing automatic execution whenever the infected system restarts.

This persistence technique represents a fundamental aspect of the malware’s design, as targets may be offline for extended periods and manual reactivation would prove impractical.

Communication with command servers occurs through web sockets or MQTT protocols, with all data transmitted in JSON format.

Early variants connected directly to hardcoded IP addresses embedded in the malware code, but operators later evolved their infrastructure to hide addresses on public paste services like Pastebin and Rentry, encoded in Base64 format.

By December 2025, an improved version designated PLUGGYAPE.V2 emerged, incorporating enhanced obfuscation layers and additional checks designed to detect virtual machine environments.

This upgrade demonstrates the attackers’ commitment to maintaining operational effectiveness against increasingly sophisticated defensive measures employed by Ukrainian cyber units.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.