Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PLUGGYAPE backdoor targets Ukrainian defense forces via Signal and WhatsApp lures

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

CERT-UA disclosed PLUGGYAPE attacks targeting Ukrainian defense forces between October and December 2025, showing an active backdoor operation with real operational risk. The malware was delivered through Signal and WhatsApp charity lures that led targets to password-protected archives and a PyInstaller executable. PLUGGYAPE can execute arbitrary code and now uses WebSocket and MQTT communications, improving operator resilience and making takedown efforts harder.

Related Happenings

BadPaw ukr[.]net credibility-building redirect campaign targeting Ukraine

Campaign
First: 04.03.2026 16:30 Last: 04.03.2026 16:30 Sources 1

About this happening: The **BadPaw** campaign is using **ukr[.]net** email and redirect checks to appear credible and confirm engagement before delivering its payload, increasing the chance that **Ukra...

Open Happening

CL Suite Chrome extension stealing Meta Business data

Malware Activity
First: 13.02.2026 13:25 Last: 13.02.2026 13:25 Sources 1

About this happening: The **CL Suite** Chrome extension is exfiltrating **TOTP seeds**, **current 2FA codes**, and **Meta Business** data from **Meta Business Suite** and **Facebook Business Manager**...

Open Happening

Roskomnadzor blocks WhatsApp in Russia

Public Sector Action
First: 13.02.2026 00:57 Last: 13.02.2026 00:57 Sources 1

About this happening: **Roskomnadzor** is trying to **block WhatsApp** in **Russia**, escalating restrictions on communication platforms and limiting access for users who rely on the service. The move...

Open Happening

Uphero/hero trojanized 7-Zip installer proxyware activity

Malware Activity
First: 10.02.2026 21:12 Last: 10.02.2026 21:12 Sources 1

About this happening: A **trojanized 7-Zip installer** is now dropping **Uphero/hero** payloads that turn **Windows hosts** into **residential proxy nodes**, letting attackers route traffic through vic...

Open Happening

Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations

Campaign
First: 02.02.2026 14:45 Last: 02.02.2026 14:45 Sources 1

About this happening: **Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....

Latest development: 10.03.2026 12:00

ESET says APT28 has used a custom variant of Covenant together with BeardShell since April 2024 against Ukrainian targets, including Ukrainian military personnel and central executive bodies of Ukraine, with recent attacks exploiting CVE-2026-21509 in Microsoft Office via malicious DOC files. Covenant is the primary implant and BeardShell is the fallback, while Icedrive, Filen, Koofr, and pCloud are used for C2 infrastructure.

Open Happening

Timeline

  1. 14.01.2026 07:48 2 articles · 4mo ago

    CERT-UA discloses PLUGGYAPE attacks on Ukrainian defense forces

    Initial Disclosure

    CERT-UA disclosed PLUGGYAPE activity targeting Ukrainian defense forces, attributing it with medium confidence to Void Blizzard, also known as Laundry Bear or UAC-0190. The campaign used Signal and WhatsApp charity lures to deliver password-protected archives containing a PyInstaller-built executable, and the backdoor can communicate with operators over WebSocket or MQTT and execute arbitrary code on compromised hosts.

    Show sources
    Open in new tab