Hackers linked to the Kremlin have launched a new cyber-espionage campaign targeting Ukrainian servicemembers, using fake charitable organizations as cover.
According to a report by Ukraine’s Computer Emergency Response Team (CERT-UA), the attacks occurred between October and December 2025. The targets were members of the Ukrainian Defense Forces, and the intrusions used previously unknown malware named PluggyApe. Responsibility for this activity is attributed to the state-backed group Void Blizzard, also known as Laundry Bear or UAC-0190. This organization operates on behalf of the Russian government and targets defense, government, transport, and medical sectors in Europe and North America.
The attackers contacted victims through popular messaging apps, persuading them to visit websites mimicking charitable foundation pages. Servicemembers were offered files that appeared to be ordinary documents but were actually executable viruses, often packaged in password-protected archives.
In some cases, the malware was sent directly in messages. To support their report, CERT-UA published screenshots of hacker conversations on Signal and WhatsApp. Authorities had previously warned that Russian intelligence increasingly uses Signal to distribute spyware among government officials and military personnel.
The PluggyApe program is continuously evolving; by December, it had gained features to bypass detection systems more effectively and make code analysis more difficult. Once installed, the virus gives hackers persistent remote access and allows them to execute various commands on the infected device.
Ukrainian officials emphasize that this campaign represents a significant shift in Russian cyber tactics. Instead of mass phishing campaigns, attackers now rely on trust-based communication and individualized lures. For initial contact, they use legitimate Ukrainian phone numbers, communicate in Ukrainian, make audio and video calls, and demonstrate deep knowledge of the structure and activities of specific units. CERT-UA stated that messaging applications on phones and computers have effectively become the primary channel for malware distribution.
