top of page
perceptive_background_267k.jpg

Ukraine's army targeted in new charity-themed malware campaign

Published:

13 January 2026 at 23:03:55

Alert date:

14 January 2026 at 00:01:19

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Email & Messaging, Critical Infrastructure

Ukraine's Defense Forces officials were targeted in a charity-themed malware campaign between October and December 2025. The campaign delivered backdoor malware called PluggyApe through deceptive charity-related communications. This represents a targeted attack against military personnel using social engineering tactics focused on charitable activities. The timing and targeting suggest this may be part of ongoing cyber warfare activities against Ukrainian military infrastructure.

Technical details

PluggyApe backdoor malware campaign targeting Ukrainian Defense Forces officials through charity-themed social engineering. Attack vector uses Signal/WhatsApp messages directing victims to fake charity websites hosting password-protected archives containing executable PIF files (.docx.pif). Malicious PIF files created using PyInstaller to bundle Python applications. PluggyApe v2 features improved obfuscation, MQTT-based communication, anti-analysis checks, and dynamic C2 retrieval from rentry.co and pastebin.com using base64 encoding. Achieves persistence through Windows Registry modification. Earlier versions used .pdf.exe extensions.

Mitigation steps:

Monitor mobile devices more closely as they are poorly protected and monitored. Be suspicious of charity-themed messages via Signal or WhatsApp requesting downloads. Watch for executable files with double extensions (.docx.pif, .pdf.exe). Implement detection for PyInstaller-created executables and MQTT communication patterns. Monitor access to rentry.co and pastebin.com for base64-encoded content. Verify legitimacy of charity organizations before engaging with their communications.

Affected products:

Windows (Registry modification for persistence)
Signal messaging app
WhatsApp messaging app
Mobile devices (specifically targeted)

Related links:

https://www.bleepingcomputer.com/news/security/russian-void-blizzard-cyberspies-linked-to-dutch-police-breach/
https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/
https://cert.gov.ua/article/6286942

Related CVE's:

Related threat actors:

IOC's:

rentry.co (C2 address source), pastebin.com (C2 address source), .docx.pif file extensions, .pdf.exe file extensions (earlier campaigns), PyInstaller-created executables, Base64-encoded C2 addresses, MQTT-based communication patterns

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page