Russia-linked hackers have launched a cyber-espionage campaign targeting Ukraine’s military personnel by posing as charitable organizations, Ukrainian cyber defense agency CERT-UA reported.
According to CERT-UA, the attacks took place between October and December 2025 and targeted members of Ukraine’s Defense Forces. The campaign leveraged a previously undocumented strain of malware dubbed ‘PluggyApe.’
CERT-UA attributed the activity to a state-backed group known as Void Blizzard, also tracked as Laundry Bear and designated by Ukrainian authorities as UAC-0190. The group is believed to work on behalf of the Russian government and has targeted state, defense, transportation, media, non-governmental organizations and healthcare sectors across Europe and North America.
Researchers said attackers contacted victims through messaging apps, urging them to visit websites impersonating charitable foundations. Targets were then prompted to download what appeared to be legitimate documents but were actually malicious executable files, often hidden inside password-protected archives. In some cases, the files were sent directly via messaging platforms.
CERT-UA shared screenshots showing attackers using Signal and WhatsApp - two messaging apps often abused by Russian threat actors to deliver malware.
PluggyApe was first deployed in October, with upgraded versions appearing by December to better evade detection. Once installed, the malware enables persistent remote access and allows attackers to run additional commands.