top of page
perceptive_background_267k.jpg

PLUGGYAPE Malware Uses Signal and WhatsApp to Target Ukrainian Defense Forces

Published:

14 January 2026 at 05:48:00

Alert date:

14 January 2026 at 08:00:41

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Email & Messaging, Data Breach & Exfiltration

CERT-UA disclosed cyber attacks targeting Ukrainian defense forces using PLUGGYAPE malware between October-December 2025. The attacks are attributed with medium confidence to Russian hacking group Void Blizzard (aka Laundry Bear or UAC-0190). The malware leverages Signal and WhatsApp messaging platforms in its attack methodology. This represents ongoing cyber warfare activities against Ukrainian military infrastructure. The threat actor has been active since at least previously reported timeframes.

Technical details

PLUGGYAPE malware is a Python-based backdoor that establishes communication with remote servers over WebSocket or MQTT protocols. It allows operators to execute arbitrary code on compromised hosts. The malware is distributed through Signal and WhatsApp as password-protected archives containing PyInstaller executables. Command-and-control addresses are retrieved from external paste services like rentry.co and pastebin.com in base64-encoded form. Recent iterations added obfuscation and anti-analysis checks to prevent execution in virtual environments. Support for MQTT protocol communication was added in December 2025.

Mitigation steps:

Monitor for suspicious communications from charity organizations on messaging platforms. Block access to malicious domains harthulp-ua[.]com and solidarity-help[.]org. Implement detection for PyInstaller executables and password-protected archives from messaging platforms. Monitor for WebSocket and MQTT communications to external servers. Watch for base64-encoded data retrieval from paste services. Implement virtual environment detection bypass monitoring. Monitor for execution of mshta.exe with HTA files and PowerShell script downloads.

Affected products:

Signal
WhatsApp
Windows systems
Ukrainian Defense Forces systems
Educational institutions systems
State authorities systems
Local government systems

Related links:

https://cert.gov.ua/article/6286942
https://thehackernews.com/2025/05/russian-hackers-breach-20-ngos-using.html
https://attack.mitre.org/techniques/T1102/001/
https://cert.gov.ua/article/6285731
https://github.com/Ptkatz/OrcaC2
https://cert.gov.ua/article/6286219
https://thehackernews.com/2022/03/russian-ransomware-gang-retool-custom.html

Related CVE's:

Related threat actors:

IOC's:

harthulp-ua[.]com, solidarity-help[.]org, rentry[.]co, pastebin[.]com, PLUGGYAPE, FILEMESS, GAMYBEAR, OrcaC2, LaZagne

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page