Russian Hackers Target Ukraine Military With Fake Charities

Ukrainian authorities disclosed details this week of a Russian cyber espionage campaign that compromised defense personnel by impersonating charitable organizations through Signal and WhatsApp. The attackers distributed PLUGGYAPE, a Python-based backdoor designed for persistent access to military communications.

CERT-UA attributes the campaign to Void Blizzard with medium confidence—the same Russian threat group responsible for breaching Dutch police systems in 2024. The attacks occurred between October and December 2025, representing a shift toward highly personalized social engineering over traditional mass phishing.

Attack Methodology

Void Blizzard operators contacted Ukrainian military personnel through legitimate messaging apps using Ukrainian phone numbers. They posed as representatives of charitable foundations offering support to armed forces members.

The conversations were authentic enough to build trust. Attackers demonstrated knowledge of specific military units, their structures, and their activities. They made audio and video calls. They communicated fluently in Ukrainian. Only after establishing rapport did they direct targets to download files from fake charity websites.

Those files contained password-protected archives supposedly holding assistance documents. In reality, they delivered PLUGGYAPE loaders disguised with misleading file extensions.

This approach inverts the typical phishing model. Instead of sending thousands of emails hoping a few click, Void Blizzard invested time cultivating individual targets. The personalization increased success rates against personnel trained to recognize generic phishing attempts.

What is PLUGGYAPE?

PLUGGYAPE is a Python-based backdoor with capabilities designed for espionage operations:

Initial profiling: On execution, the malware collects system information and generates a unique victim identifier. This data gets sent to attackers, helping them prioritize high-value targets for further exploitation.

Remote code execution: The backdoor maintains persistent communication with command-and-control servers, waiting for instructions. Operators can execute arbitrary code on compromised systems, enabling data theft, lateral movement, or deployment of additional tools.

Dynamic C2 infrastructure: Rather than hardcoding server addresses, PLUGGYAPE retrieves C2 locations from paste services like rentry.co and pastebin.com. The addresses are stored in base64-encoded form. This design lets attackers rotate infrastructure without updating malware binaries—if defenders block one server, operators update the paste and infected machines automatically reconnect elsewhere.

Persistence: The malware modifies Windows Registry entries to survive reboots, ensuring long-term access even if the original infection vector is discovered.

Evolution of the Malware

CERT-UA observed PLUGGYAPE evolve during the campaign. Early versions used obvious ".pdf.exe" extensions for loaders—a technique that's easy to spot but still catches inattentive users. By December 2025, attackers switched to PIF files and deployed PLUGGYAPE version 2.

The updated variant adds MQTT protocol support for C2 communications. MQTT was designed for lightweight machine-to-machine messaging in IoT environments. In malware, it provides a resilient communication channel that's harder to block than standard HTTP traffic.

Version 2 also includes anti-analysis features: virtual machine detection, debugger checks, and improved code obfuscation. These additions suggest Void Blizzard encountered analysis efforts and adapted their tooling to evade detection.

Who is Void Blizzard?

Void Blizzard—also tracked as Laundry Bear and UAC-0190—is a relatively new state-sponsored group operating in support of Russian intelligence objectives. Microsoft published detailed analysis of the group in late 2025 after observing campaigns against government, defense, transportation, media, and healthcare targets across Europe and North America.

The group's infrastructure and tactics overlap with other Russian APTs, though it maintains distinct operational patterns. Their focus on defense and government entities aligns with strategic intelligence collection priorities.

The 2024 breach of Dutch police systems demonstrated Void Blizzard's capability against Western targets. That operation compromised sensitive information about officers, including personal details and operational data.

Broader Implications

This campaign reflects a tactical evolution in Russian cyber operations. The shift from spray-and-pray phishing to personalized engagement through trusted communication channels makes attacks harder to detect and prevent.

Email security tools can scan attachments and block malicious links. But when attackers reach targets through personal Signal accounts, those controls don't apply. The victim's own device becomes the attack vector.

For defenders, the lesson is uncomfortable: technical controls alone can't stop sophisticated social engineering. Security awareness training needs to address scenarios where attackers invest weeks building relationships before delivering malware.

Organizations supporting Ukrainian defense efforts—including international partners and NGOs—should treat unexpected contact through messaging apps with skepticism, even when the conversation seems legitimate. Verification through independent channels remains the best defense against impersonation attacks this sophisticated.