During October-December 2025, cyber experts from the CERT-UA team at the State Service for Special Communications investigated a number of cyberattacks against representatives of the Defense Forces of Ukraine (DFU). Based on certain characteristic features, they believe that the Russian hacker group Void Blizzard (Laundry Bear) is behind them.
During October-December 2025, cyber experts from the CERT-UA team at the State Service for Special Communications investigated a number of cyberattacks against representatives of the Defense Forces of Ukraine (DFU). Based on certain characteristic features, they believe that the Russian hacker group Void Blizzard (Laundry Bear) is behind them.
The hackers operated through messengers, the CERT-UA team reported . In the messages, they encouraged people to visit a fake charity website, from which they offered to download “documents” — executable files that are usually in a password-protected archive. At the same time, the executable file can be sent directly to the messenger and most often has the extension “.docx.pif.”
As soon as such a file was opened, the PLUGGYAPE malware was launched, giving hackers access to the device.
"Note that in October 2025, the attackers used a file with the extension ".pdf.exe", which provided the launch of a loader, the purpose of which was to download the Python interpreter and (from the Pastebin resource) the Python file of an early version of PLUGGYAPE. Starting in December 2025, an improved (and obfuscated) version of PLUGGYAPE (PLUGGYAPE.V2) was discovered, which used the MQTT protocol and also added a number of checks to counteract analysis, in particular, launching in a virtual environment," cyber experts explained.
In several of the analyzed files, the IP address of the management server may not have been specified directly in the program code, but was published on resources such as rentry.co and pastebin.com, in particular in BASE64-encoded form.
CERT-UA emphasized that hackers' methods are constantly evolving. They can now text the victim from real Ukrainian numbers, communicate freely in Ukrainian, and even make video calls. Attackers can also display detailed and relevant knowledge about a person or organization.
