Void Blizzard (Laundry Bear) Charity-Themed Lures Deliver PluggyApe Backdoor to Ukraine’s Defense Forces
Ukraine’s CERT (CERT-UA) reported a cyber-espionage campaign targeting representatives of Ukraine’s Defense Forces between October and December 2025, using social-engineering lures themed around charitable foundations. Victims were contacted via Signal and WhatsApp and directed to charity-impersonation websites or sent password-protected archives that purported to contain documents but instead delivered executable payloads (including *.docx.pif), sometimes sent directly through the messaging apps.
The activity was attributed with medium confidence to the Russia-aligned threat actor Void Blizzard (also tracked as Laundry Bear and UAC-0190). The campaign deployed a previously undocumented backdoor dubbed PluggyApe, built as a Python executable packaged with PyInstaller, which profiles infected hosts, establishes persistence via Windows Registry modification, and enables remote command execution. CERT-UA noted an evolution in late 2025 from earlier loader naming patterns (e.g., *.pdf.exe) to PIF-based delivery and an updated PluggyApe v2 featuring stronger obfuscation, MQTT-based command-and-control, and additional anti-analysis checks.
Timeline
Jan 13, 2026
CERT-UA discloses PluggyApe campaign and attributes it to Void Blizzard
In January 2026, CERT-UA publicly reported the campaign targeting Ukraine's Defense Forces and attributed it with medium confidence to the Russian-linked group Void Blizzard, also known as Laundry Bear or UAC-0190. The agency described the use of trusted messaging platforms, Ukrainian-language social engineering, and fake charity themes as part of a broader shift away from mass phishing.
Dec 1, 2025
PluggyApe campaign evolves with new PIF lures and v2 malware
By December 2025, the operators shifted to PIF-based payload delivery and deployed PluggyApe v2 with stronger obfuscation, anti-analysis or virtual-machine checks, and MQTT support. The malware also moved toward retrieving encoded command-and-control addresses from public paste services such as Pastebin and Rentry.
Oct 1, 2025
Attackers use early PluggyApe loader and Pastebin-based delivery
In October 2025, CERT-UA observed earlier activity using a '.pdf.exe' loader that fetched a Python interpreter and an early PluggyApe script from Pastebin. This reflects the campaign's initial delivery and command infrastructure approach before later refinements.
Oct 1, 2025
Void Blizzard begins charity-themed targeting of Ukraine's Defense Forces
Between October and December 2025, personnel in Ukraine's Defense Forces were targeted in a cyber-espionage campaign using Signal and WhatsApp messages that impersonated charitable organizations. Victims were lured to fake charity sites or sent password-protected archives containing disguised executables that installed the PluggyApe backdoor.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
2 more from sources like bleeping computer and the record media
Related Stories
Russian Phishing Campaign Targets Ukraine With BadPaw Loader and MeowMeow Backdoor
A **Russia-linked phishing campaign** has targeted Ukrainian entities using emails that lure recipients into downloading a ZIP archive, leading to installation of two newly identified malware families: the **BadPaw** loader and the **MeowMeow** backdoor. Reporting based on ClearSky’s analysis describes messages sent from addresses hosted on Ukrainian service **ukr[.]net**, with a redirect to a ZIP containing a Ukraine-themed border checkpoint/permit lure; opening the archive triggers execution that downloads **BadPaw**, which then establishes C2 and deploys **MeowMeow**. The malware chain is designed to complicate analysis and evade detection. ClearSky reported **BadPaw** as a **.NET-based loader** and noted use of the **.NET Reactor** packer/obfuscator, while **MeowMeow** provides backdoor functionality including file enumeration and data read/write/delete operations. Additional defensive measures include conditional execution (components remaining inert unless launched with specific parameters) and environment checks by MeowMeow to detect sandboxes or analysis tooling (e.g., *Wireshark*, *ProcMon*, *Fiddler*). Based on infrastructure and tradecraft indicators (including ukr[.]net-hosted sender addresses), researchers attributed the activity with **low confidence** to **APT28** (aka **Fancy Bear/Forest Blizzard/Blue Delta**).
1 months ago
APT28-Linked Phishing Campaign Deploys BadPaw Loader and MeowMeow Backdoor Against Ukraine
ClearSky reported a suspected Russian espionage campaign targeting Ukrainian entities using phishing emails that deliver two previously undocumented malware families: the **BadPaw** loader and the **MeowMeow** backdoor. The infection chain begins with a lure email (sent from `ukr[.]net` to appear credible) containing a link that first loads an unusually small image functioning as a tracking pixel to confirm user interaction, then redirects victims to download a ZIP archive. When opened, the archive launches an HTA that displays a Ukrainian-language decoy document about border-crossing appeals while executing background stages that deploy the .NET-based BadPaw loader, which then retrieves and installs the MeowMeow backdoor from a remote server; the HTA also performs sandbox/analysis-evasion checks. The activity was attributed with **moderate confidence** to **APT28** based on targeting, geopolitical lures, and technique overlaps with prior Russian operations. Separate reporting also noted CERT-UA warnings about other phishing-driven malware activity against Ukrainian government institutions (including **SHADOWSNIFF**, **SALATSTEALER**, and a Go backdoor **DEAFTICKK** attributed to **UAC-0252**), but that campaign is distinct from the BadPaw/MeowMeow intrusion chain and should not be conflated with the APT28-linked activity.
1 months ago
DRILLAPP Espionage Campaign Targeting Ukrainian Organizations
A **Russia-linked cyber-espionage campaign** targeted Ukrainian entities with a JavaScript-based backdoor called **DRILLAPP**, using lures themed around **Starlink terminal verification** and the **Come Back Alive Foundation** charity. Researchers linked the activity to **Laundry Bear**—also tracked as **Void Blizzard** and **UAC-0190**—and said the operation shared tradecraft with earlier campaigns against Ukrainian defense-related targets. The malware was observed in February 2026 and was designed for surveillance and remote access, including file upload and download, microphone recording, and webcam image capture. The intrusion chain used malicious **LNK** files to create an **HTA** file in a temporary directory, fetch obfuscated scripts from **Pastefy**, and establish persistence by copying shortcuts into the Windows Startup folder. The payload then executed through **Microsoft Edge** in headless mode with permissive flags such as `--no-sandbox`, `--disable-web-security`, `--allow-file-access-from-files`, `--use-fake-ui-for-media-stream`, and `--disable-user-media-security`, enabling access to the local file system, camera, microphone, and potentially screen capture without normal user prompts. Researchers said the browser-based approach likely helps the attackers blend malicious activity with legitimate browser access to sensitive device features.
1 months ago