Fake Charity Appeals Used in Malware Attacks Against Ukrainian Military

CyberDefender 4 mins0

Threat actors launched a sophisticated malware campaign aimed at members of Ukraine’s Defense Forces between October and December 2025, using charity-styled lures to trick targets into downloading malicious software.

The attackers spread PLUGGYAPE, a Python-based backdoor, through fraudulent charity websites and messaging links, designed to appear as if they were legitimate humanitarian or donation resources.

Targeting & Attribution

  • The campaign was aimed specifically at Ukrainian military personnel and defense officials.
  • Ukrainian cybersecurity authorities (CERT-UA) and industry responders attribute the activity with medium confidence to Russian-affiliated threat actors tracked as Void Blizzard and Laundry Bear (UAC-0190).
  • These groups are known from previous operations, including espionage and malware campaigns aligned with Russian strategic interests.

How the Attack Worked

Social Engineering

  • Targets received instant messages via platforms like Signal, WhatsApp, and possibly others, often using legitimate-looking Ukrainian mobile operator numbers.
  • These messages promoted a “charity” website hosting supposedly relevant documents for download.
  • The lure relied on plausible humanitarian or donation themes to lower suspicion.

Malware Delivery

  • The malicious files were disguised with double extensions (e.g., .docx.pif or .pdf.exe) to look like harmless documents, but were actually executables.
  • In some cases, the malware was embedded directly in password-protected archives or sent inside messenger apps.

PLUGGYAPE Backdoor

Once executed, PLUGGYAPE:

  • Profiles the host system to generate a unique victim ID using hardware identifiers (MAC address, BIOS serial, disk ID, CPU ID).
  • Establishes persistence by creating registry entries that auto-run the malware on startup.
  • Communicates with attacker-controlled servers using WebSocket/MQTT protocols and encodes data in JSON.
  • Fetches command-and-control (C2) addresses from public paste services (like Pastebin or Rentry) encoded in Base64.

By December 2025, the campaign had evolved to use more obfuscated malware versions with advanced anti-analysis and stealth features.

Why This Matters

  • Military targets: The campaign is more than generic phishing — it’s tailored to defense personnel.
  • Novel lures: The use of charity narratives leverages emotional and trust-based social engineering to overcome security awareness.
  • Cross-platform messaging: Use of popular messaging services and local language increases credibility and delivery success.

Defensive Recommendations

While full incident response analysis is ongoing, cybersecurity teams generally recommend:

  1. Educating personnel about double-extension file risks and fake donation lures
  2. Blocking or inspecting suspicious messaging links and unknown download URLs
  3. Monitoring systems for registry persistence changes and unusual outbound connections
  4. Reviewing logs for IoCs tied to PluggyApe and related C2 infrastructure

CyberDefender