Find notable cyber news and cases, enriched with sources, timelines, and signals.

PLUGGYAPE backdoor targets Ukrainian defense forces via Signal and WhatsApp lures

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

CERT-UA disclosed PLUGGYAPE attacks targeting Ukrainian defense forces between October and December 2025, showing an active backdoor operation with real operational risk. The malware was delivered through Signal and WhatsApp charity lures that led targets to password-protected archives and a PyInstaller executable. PLUGGYAPE can execute arbitrary code and now uses WebSocket and MQTT communications, improving operator resilience and making takedown efforts harder.

Related Happenings

NSO Group WhatsApp spear-phishing campaign

Campaign
H score37 First: 08.06.2026 20:08 Last: 08.06.2026 20:08 Sources 1

About this happening: **NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...

BadPaw ukr[.]net credibility-building redirect campaign targeting Ukraine

Campaign
H score33 First: 04.03.2026 16:30 Last: 04.03.2026 16:30 Sources 1

About this happening: The **BadPaw** campaign is using **ukr[.]net** email and redirect checks to appear credible and confirm engagement before delivering its payload, increasing the chance that **Ukra...

CL Suite Chrome extension stealing Meta Business data

Malware Activity
H score39 First: 13.02.2026 13:25 Last: 13.02.2026 13:25 Sources 1

About this happening: The **CL Suite** Chrome extension is exfiltrating **TOTP seeds**, **current 2FA codes**, and **Meta Business** data from **Meta Business Suite** and **Facebook Business Manager**...

Roskomnadzor blocks WhatsApp in Russia

Public Sector Action
H score30 First: 13.02.2026 00:57 Last: 13.02.2026 00:57 Sources 1

About this happening: **Roskomnadzor** is trying to **block WhatsApp** in **Russia**, escalating restrictions on communication platforms and limiting access for users who rely on the service. The move...

Uphero/hero trojanized 7-Zip installer proxyware activity

Malware Activity
H score15 First: 10.02.2026 21:12 Last: 10.02.2026 21:12 Sources 1

About this happening: A **trojanized 7-Zip installer** is now dropping **Uphero/hero** payloads that turn **Windows hosts** into **residential proxy nodes**, letting attackers route traffic through vic...

Timeline

  1. 14.01.2026 07:48 2 articles · 5mo ago

    CERT-UA discloses PLUGGYAPE attacks on Ukrainian defense forces

    Initial Disclosure

    CERT-UA disclosed PLUGGYAPE activity targeting Ukrainian defense forces, attributing it with medium confidence to Void Blizzard, also known as Laundry Bear or UAC-0190. The campaign used Signal and WhatsApp charity lures to deliver password-protected archives containing a PyInstaller-built executable, and the backdoor can communicate with operators over WebSocket or MQTT and execute arbitrary code on compromised hosts.

    Show sources