Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025. The activity has been attributed with medium confidence to a Russian hacking group tracked as Void Blizzard (aka Laundry Bear or UAC-0190). The threat actor is believed to be active since at least
Analysis Summary
# Tool/Technique: PLUGGYAPE
## Overview
PLUGGYAPE is a malware framework primarily identified as a backdoor used in cyber attacks targeting Ukrainian defense forces between October and December 2025. The distribution relied heavily on social engineering via instant messaging services (Signal and WhatsApp), impersonating charity organizations.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Windows (Implied, as it's delivered via executables created with PyInstaller and interacts with a Windows environment)
- Capabilities: Remote code execution, persistent communication via WebSocket/MQTT, C2 infrastructure fetched from external paste sites.
- First Seen: October 2025 (Activity period reported by CERT-UA)
## MITRE ATT&CK Mapping
The primary focus of PLUGGYAPE relates to establishing remote access and maintaining communication.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied by WebSocket usage)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Mention of added obfuscation)
- T1497 - Virtualization/Sandbox Evasion (Mention of anti-analysis checks)
## Functionality
### Core Capabilities
- **Remote Command Execution:** Allows operators to execute arbitrary code on compromised hosts.
- **Communication Protocols:** Utilizes WebSocket for command and control (C2) and added support for MQTT (as of December 2025).
- **Delivery Mechanism:** Spread via password-protected archives containing a Python-based executable (compiled with PyInstaller).
### Advanced Features
- **Dynamic C2 Retrieval:** C2 addresses are retrieved from external paste services (rentry[.]co, pastebin[.]com) in a base64-encoded format, enhancing operational security and resilience against infrastructure takedowns.
- **Anti-Analysis:** Successive iterations include obfuscation and checks designed to prevent execution within virtual environments or analysis sandboxes.
- **Social Engineering Vector:** Leverages highly effective social engineering techniques using Signal and WhatsApp, often impersonating legitimate entities and using the Ukrainian language, sometimes incorporating audio/video for engagement.
## Indicators of Compromise
- **File Hashes:** (Not provided in the context)
- **File Names:** Executable delivered from password-protected archives.
- **Registry Keys:** (Not provided in the context)
- **Network Indicators:**
- Initial contact link domains: `harthulp-ua[.]com` (defanged)
- Initial contact link domains: `solidarity-help[.]org` (defanged)
- C2 retrieval URLs: `rentry[.]co` (defanged)
- C2 retrieval URLs: `pastebin[.]com` (defanged)
- **Behavioral Indicators:** Python scripts establishing network connections over WebSocket or MQTT.
## Associated Threat Actors
- **Void Blizzard** (aka Laundry Bear, UAC-0190) - Attributed with medium confidence.
## Detection Methods
- **Signature-based detection:** Signatures for the PyInstaller-generated executable structure or known strings/constants within the malware payload.
- **Behavioral detection:** Monitoring for Python processes (or newly executed binaries) establishing outbound connections using non-standard protocols (like raw WebSocket or MQTT traffic) to external, suspicious domains. Detection of anti-analysis behavior evasion techniques.
- **YARA rules if available:** (Not provided in the context)
## Mitigation Strategies
- **Prevention:** Mandatory verification/whitelisting of links received via instant messaging, especially those directing to file downloads, even from trusted contacts. Implement stringent application control policies.
- **Hardening recommendations:** Harden endpoint detection and response (EDR) systems to flag execution of arbitrary code originating from IM application processes or suspicious file execution patterns following archive extractions. Disable or strictly limit execution of Python executables (PyInstaller payloads) in sensitive environments.
## Related Tools/Techniques
The article also mentions activity from other threat actors targeting Ukraine concurrently, indicating a broad threat landscape:
- **FILEMESS:** A Go-based stealer associated with UAC-0239 that exfiltrates data via Telegram.
- **OrcaC2:** An open-source C2 framework dropped alongside FILEMESS, capable of system manipulation and remote code execution.
- **GAMYBEAR:** A Go backdoor associated with UAC-0241.
- **LaZagne:** An open-source tool used to recover stored passwords.