Void Blizzard (UAC-0190) Targets Ukrainian Defense Forces with PluggyApe Malware via Charity-Themed Lures

Executive Summary

Ukraine's Computer Emergency Response Team (CERT-UA) has issued an alert regarding a targeted cyber-espionage campaign against the Ukrainian Defense Forces. The campaign, attributed to the Kremlin-linked threat group Void Blizzard (also known as Laundry Bear and tracked by Ukraine as UAC-0190), was active between October and December 2025. The attackers have shifted tactics from mass phishing to highly personalized social engineering, directly contacting military personnel on encrypted messaging apps like Signal and WhatsApp. Posing as representatives of charitable foundations, the attackers lure targets into downloading a new malware backdoor named PluggyApe. This malware provides persistent remote access to the victim's machine, enabling data exfiltration and further command execution, directly supporting Russian intelligence-gathering efforts in the ongoing conflict.

Threat Overview

The campaign demonstrates a significant evolution in social engineering tradecraft. Void Blizzard operators are no longer relying on impersonal, large-scale email campaigns. Instead, they are:

• Making Direct Contact: Using secure messaging apps like Signal and WhatsApp to initiate conversations.
• Building Trust: Leveraging compromised accounts, Ukrainian phone numbers, and speaking fluent Ukrainian. They engage in detailed conversations, sometimes including audio or video calls, to establish credibility.
• Using Themed Lures: Impersonating legitimate charitable foundations supporting the Ukrainian military, a theme designed to resonate strongly with their targets.

Once trust is established, the attacker directs the target to a fake charity website to download a document, which is actually the PluggyApe malware disguised with an icon like a .docx file (e.g., as a .docx.pif file), often delivered within a password-protected archive to evade initial security scans (T1566.001).

Technical Analysis

PluggyApe is a backdoor built using PyInstaller, which bundles a Python script into a standalone executable. Its primary functions include:

• Persistence: It establishes persistence on the infected system by creating or modifying Windows Registry keys, typically in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run path, ensuring it runs every time the user logs in (T1547.001).
• Data Exfiltration: Upon execution, it gathers system information (e.g., hostname, username, OS version) and exfiltrates it to a command-and-control (C2) server.
• Remote Access: It acts as a backdoor, allowing the attacker to send further commands to the compromised machine, such as downloading additional payloads or searching for and exfiltrating specific files.

An updated version observed in December 2025 showed improved obfuscation and a more dynamic C2 mechanism, using services like Pastebin to fetch the C2 server address, making it harder for defenders to block.

Impact Assessment

This campaign poses a direct threat to Ukraine's national security. By compromising the devices of military personnel, Void Blizzard can:

• Steal sensitive military intelligence, such as troop movements, operational plans, and personnel information.
• Gain insight into military communications and strategies.
• Use the compromised devices as a pivot point to attack broader military networks.
• Conduct psychological operations by spreading disinformation through compromised accounts.

The highly targeted and personal nature of the social engineering makes this campaign particularly dangerous and difficult to defend against with technology alone.

Detection & Response

• Endpoint Detection: EDR solutions should be configured to alert on the creation of .pif files or executables with double extensions. Monitor for processes making modifications to the CurrentVersion\Run registry key. This aligns with D3-SFA: System File Analysis.
• Network Monitoring: Block or alert on outbound connections to text-sharing sites like Pastebin from processes other than web browsers. This could indicate a malware variant like PluggyApe attempting to fetch its C2 address.
• User Training: This is the most critical defense. Military personnel must be trained to be extremely skeptical of unsolicited contact, even on secure messaging apps and from apparently friendly sources. All requests to download files or visit websites from unknown contacts should be treated as suspicious.

Mitigation

1. Execution Prevention: Configure systems to block the execution of files from untrusted sources or with suspicious extensions like .pif. Use application control solutions to allowlist known-good applications, preventing unknown malware like PluggyApe from running. This is a direct application of D3-EAL: Executable Allowlisting.
2. Verify, Then Trust: Instruct personnel to never download files or click links from unsolicited contacts without independent verification of the sender's identity through an official channel.
3. Disable Scripting: Where possible, disable scripting environments like PowerShell for standard users to prevent the execution of malicious scripts downloaded by a first-stage payload.
4. Limit Local Admin Rights: Ensure that military personnel do not use accounts with local administrator privileges for daily tasks. This can limit a malware's ability to establish persistence and access sensitive system files.