Void Blizzard (Laundry Bear) Charity-Themed Lures Deliver PluggyApe Backdoor to Ukraine’s Defense Forces
Ukraine’s CERT (CERT-UA) reported a cyber-espionage campaign targeting representatives of Ukraine’s Defense Forces between October and December 2025, using social-engineering lures themed around charitable foundations. Victims were contacted via Signal and WhatsApp and directed to charity-impersonation websites or sent password-protected archives that purported to contain documents but instead delivered executable payloads (including *.docx.pif), sometimes sent directly through the messaging apps.
The activity was attributed with medium confidence to the Russia-aligned threat actor Void Blizzard (also tracked as Laundry Bear and UAC-0190). The campaign deployed a previously undocumented backdoor dubbed PluggyApe, built as a Python executable packaged with PyInstaller, which profiles infected hosts, establishes persistence via Windows Registry modification, and enables remote command execution. CERT-UA noted an evolution in late 2025 from earlier loader naming patterns (e.g., *.pdf.exe) to PIF-based delivery and an updated PluggyApe v2 featuring stronger obfuscation, MQTT-based command-and-control, and additional anti-analysis checks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CERT-UA discloses PluggyApe campaign and attributes it to Void Blizzard
In January 2026, CERT-UA publicly reported the campaign targeting Ukraine's Defense Forces and attributed it with medium confidence to the Russian-linked group Void Blizzard, also known as Laundry Bear or UAC-0190. The agency described the use of trusted messaging platforms, Ukrainian-language social engineering, and fake charity themes as part of a broader shift away from mass phishing.
PluggyApe campaign evolves with new PIF lures and v2 malware
By December 2025, the operators shifted to PIF-based payload delivery and deployed PluggyApe v2 with stronger obfuscation, anti-analysis or virtual-machine checks, and MQTT support. The malware also moved toward retrieving encoded command-and-control addresses from public paste services such as Pastebin and Rentry.
Attackers use early PluggyApe loader and Pastebin-based delivery
In October 2025, CERT-UA observed earlier activity using a '.pdf.exe' loader that fetched a Python interpreter and an early PluggyApe script from Pastebin. This reflects the campaign's initial delivery and command infrastructure approach before later refinements.
Void Blizzard begins charity-themed targeting of Ukraine's Defense Forces
Between October and December 2025, personnel in Ukraine's Defense Forces were targeted in a cyber-espionage campaign using Signal and WhatsApp messages that impersonated charitable organizations. Victims were lured to fake charity sites or sent password-protected archives containing disguised executables that installed the PluggyApe backdoor.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
The Good, the Bad and the Ugly in Cybersecurity - Week 3
sentinelone.com
Open sourceUkraine defense officials targeted by PluggyApe malware campaign | SC Media
scworld.com
Open sourceThreat Actors Targeting Ukraine's Defense Forces With Charity-Themed Malware Campaign
cybersecuritynews.com
Open sourcePLUGGYAPE Malware Uses Signal and WhatsApp to Target Ukrainian Defense Forces
thehackernews.com
Open sourceCERT-UA reports PLUGGYAPE cyberattacks on defense forces
securityaffairs.com
Open sourceUkraine's army targeted in new charity-themed malware campaign
bleepingcomputer.com
Open sourceKremlin-linked hackers pose as charities to spy on Ukraine’s military | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian Phishing Campaign Targets Ukraine With BadPaw Loader and MeowMeow Backdoor
A **Russia-linked phishing campaign** has targeted Ukrainian entities using emails that lure recipients into downloading a ZIP archive, leading to installation of two newly identified malware families: the **BadPaw** loader and the **MeowMeow** backdoor. Reporting based on ClearSky’s analysis describes messages sent from addresses hosted on Ukrainian service **ukr[.]net**, with a redirect to a ZIP containing a Ukraine-themed border checkpoint/permit lure; opening the archive triggers execution that downloads **BadPaw**, which then establishes C2 and deploys **MeowMeow**. The malware chain is designed to complicate analysis and evade detection. ClearSky reported **BadPaw** as a **.NET-based loader** and noted use of the **.NET Reactor** packer/obfuscator, while **MeowMeow** provides backdoor functionality including file enumeration and data read/write/delete operations. Additional defensive measures include conditional execution (components remaining inert unless launched with specific parameters) and environment checks by MeowMeow to detect sandboxes or analysis tooling (e.g., *Wireshark*, *ProcMon*, *Fiddler*). Based on infrastructure and tradecraft indicators (including ukr[.]net-hosted sender addresses), researchers attributed the activity with **low confidence** to **APT28** (aka **Fancy Bear/Forest Blizzard/Blue Delta**).
Mar 21, 2026
APT28-Linked Phishing Campaign Deploys BadPaw Loader and MeowMeow Backdoor Against Ukraine
ClearSky reported a suspected Russian espionage campaign targeting Ukrainian entities using phishing emails that deliver two previously undocumented malware families: the **BadPaw** loader and the **MeowMeow** backdoor. The infection chain begins with a lure email (sent from `ukr[.]net` to appear credible) containing a link that first loads an unusually small image functioning as a tracking pixel to confirm user interaction, then redirects victims to download a ZIP archive. When opened, the archive launches an HTA that displays a Ukrainian-language decoy document about border-crossing appeals while executing background stages that deploy the .NET-based BadPaw loader, which then retrieves and installs the MeowMeow backdoor from a remote server; the HTA also performs sandbox/analysis-evasion checks. The activity was attributed with **moderate confidence** to **APT28** based on targeting, geopolitical lures, and technique overlaps with prior Russian operations. Separate reporting also noted CERT-UA warnings about other phishing-driven malware activity against Ukrainian government institutions (including **SHADOWSNIFF**, **SALATSTEALER**, and a Go backdoor **DEAFTICKK** attributed to **UAC-0252**), but that campaign is distinct from the BadPaw/MeowMeow intrusion chain and should not be conflated with the APT28-linked activity.
Mar 21, 2026
Cloaked Ursa Phishes Diplomats With Repurposed Lures and Cloud-Backed Malware
Unit 42 reported that **Cloaked Ursa**—also tracked as **APT29**, **Midnight Blizzard**, **Nobelium**, and **Cozy Bear**—ran phishing campaigns against diplomatic targets in **Ukraine** and **Turkey**, using lures tied to diplomats’ personal and professional interests. In one operation, the group repurposed a legitimate BMW-for-sale flyer originally sent by a Polish Ministry of Foreign Affairs diplomat and redistributed malicious versions to diplomatic missions in Kyiv, reaching at least **22 foreign missions**. A separate campaign targeted the **Turkish Ministry of Foreign Affairs** with a lure themed around humanitarian assistance guidance following the February 2023 earthquakes. The phishing chain redirected victims through URL shorteners to a compromised website that delivered malware through **HTA**, **ISO**, and **LNK** files disguised as PNG images, followed by **DLL sideloading**. Researchers said the payload used the **Microsoft Graph API** and **Dropbox** for command-and-control and shared code and tradecraft with previously reported Cloaked Ursa tooling, including overlap with **QUARTERRIG**, use of `APPVISVSUBSYSTEMS64.dll`, anti-analysis checks, shellcode injection, and obfuscated final-stage payloads. The activity showed a shift toward broadly appealing but individually relevant lures designed to spread more easily within diplomatic circles and improve espionage success.
May 26, 2026