CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PluggyApe Backdoor Targets Ukraine's Defense Forces in Charity-Themed Campaign

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025. The campaign delivered the PluggyApe backdoor, likely deployed by the Russian threat group Void Blizzard (Laundry Bear). The attacks began with instant messages over Signal or WhatsApp, directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. The campaign highlights the increasing use of mobile devices as prime targets due to their poor protection and monitoring. Additionally, the Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025. The threat actor is believed to be active since at least April 2024. The malware is written in Python and establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT). The command-and-control (C2) addresses are retrieved from external paste services such as rentry[.]co and pastebin[.]com, where they are stored in base64-encoded form.

Timeline

  1. 14.01.2026 01:03 2 articles · 1d ago

    PluggyApe Backdoor Targets Ukraine's Defense Forces in Charity-Themed Campaign

    Between October and December 2025, Ukraine's Defense Forces were targeted in a charity-themed malware campaign that delivered the PluggyApe backdoor. The campaign involved instant messages over Signal or WhatsApp directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. PluggyApe version 2, introduced in December 2025, features better obfuscation, MQTT-based communication, and more anti-analysis checks. The malware fetches C2 addresses from external sources like rentry.co and pastebin.com, published in base64-encoded form. Mobile devices are increasingly targeted due to poor protection and monitoring, and attackers use compromised accounts or phone numbers of Ukrainian telecommunication operators to make attacks more convincing. The threat actor is believed to be active since at least April 2024. The malware is written in Python and establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky has been linked to a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection. Additionally, Kimsuky is targeting organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The group is using QR codes in phishing campaigns, a technique known as 'quishing,' to redirect victims to malicious locations disguised as questionnaires, secure drives, or fake login pages. The FBI has warned about Kimsuky's use of malicious QR codes in spear-phishing campaigns targeting entities in the U.S., highlighting the group's history of subverting email authentication protocols and exploiting improperly configured DMARC record policies.

Open in new tab

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

Open in new tab

Phishing campaign targets LastPass and Bitwarden users to install remote access tools

A phishing campaign is targeting LastPass and Bitwarden users with fake breach alerts. The emails urge recipients to download a supposedly more secure desktop version of the password manager, which installs Syncro, an RMM tool, and ScreenConnect remote support software. The campaign began over the Columbus Day holiday weekend, exploiting reduced staffing. LastPass has confirmed it has not been hacked and is actively working to mitigate the phishing campaign. The phishing emails are well-crafted and claim to address vulnerabilities in older .exe installations, urging users to update to a more secure MSI format. The threat actors use domains like 'lastpasspulse[.]blog' and 'bitwardenbroadcast[.]blog' to send these emails. The malware installs Syncro and ScreenConnect, allowing the threat actors to remotely access the compromised endpoints, deploy further malware, and steal data. The phishing emails use the subject line 'We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security' and are sent from email addresses like hello@lastpasspulse[.]blog or hello@lastpassgazette[.]blog. The phishing site is hosted at lastpassdesktop[.]com or lastpassgazette[.]blog, and another URL, lastpassdesktop[.]app, has been registered by the threat actor for potential future use.

Open in new tab

CABINETRAT Backdoor Deployed via XLL Add-ins in Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a new targeted cyber attack campaign using the CABINETRAT backdoor. The campaign, attributed to the threat cluster UAC-0245, involves the distribution of malicious XLL add-ins via Signal messaging app. These add-ins, disguised as legitimate documents, are used to deploy the CABINETRAT backdoor, which gathers system information and executes commands on compromised hosts. The attack was observed in September 2025, with the malicious files distributed within ZIP archives shared on the Signal messaging app. The XLL files create multiple executables and registry modifications to ensure persistence and evade detection. The backdoor communicates with a remote server over a TCP connection.

Open in new tab

GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. The UAT-8099 group, similar to GhostRedirector, hijacks IIS servers to funnel mobile search engine traffic to spam advertisements and illegal gambling websites. The group targets servers in Brazil, Canada, India, Thailand, and Vietnam, using open-source web shells for initial access and privilege escalation. UAT-8099 installs the BadIIS module to intercept and manipulate HTTP traffic for SEO poisoning and malicious redirects. The attackers use BadIIS to serve SEO terms to search engine crawlers and redirect human visitors to scam websites. UAT-8099 deploys a Cobalt Strike backdoor to maintain persistent access and exfiltrate sensitive data. The group's activities are often undetected by the targeted organizations due to the stealthy nature of the attacks. Cisco Talos has detailed the full attack chain and additional findings relating to the UAT-8099 campaign, identifying several new BadIIS malware samples with altered code structures to evade detection. The group uses SoftEther VPN, EasyTier, and the FRP reverse proxy tool for persistence and deploys defense mechanisms to secure their foothold. The UAT-8099 group was first discovered in April 2025 and primarily targets mobile users, including both Android and Apple iPhone devices. The group uses the Everything tool to search for valuable data within compromised hosts. BadIIS operates in three modes: Proxy, Injector, and SEO fraud. BadIIS uses backlinking to boost website visibility and rankings.

Open in new tab