Introduction
Summary
PLUGGYAPE is a type of malware group that has been on the rise recently, with activity including targeting Ukrainian defence forces between October and December, with continued activity ongoing from January of 2026. It has been attributed (with medium confidence) to a Russian hacking group tracked as Void Blizzard (otherwise known as the group Laundry Bear or UAC-0190). The threat actor is believed to be active since at least April 2024.
Ukrainian Cyber Defence taskforce and govenrment agency, "The Computer Emergency Response Team of Ukraine (CERT-UA)" says that the malware PLUGGYAPE establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT), allowing the operators to execute arbitrary code on compromised hosts. The group has actively increased their reach and show understanding of several protocols, such as MQTT, supoprt for which was only added in December 2025.
In addition CERT UA also reported that the command-and-control (C2) addresses are retrieved from external paste services such as rentry[.]co and pastebin[.]com, where they are stored in base64-encoded form, as opposed to directly hard-coding the domain in the malware itself. This use of obfuscation as well as form-filling allows the attackers to securely update the C2 servers in real-time in scenarios where the original infrastructure is detected and taken down. "Initial interaction with the target of a cyber attack is increasingly carried out using legitimate accounts and phone numbers of Ukrainian mobile operators, with the use of the Ukrainian language, audio and video communication, and the attacker may demonstrate detailed and relevant knowledge about the individual, organization, and its operations," CERT-UA said.Background and History
PLUGGYAPE is supposedly the same malware group as Laundry Bear and UAC-0190, Void Blizzard. This is due to research done by HackerNews, CERT-UA. They both allege that the PLUGGYAPE malware has been created by this threat group particualr for the purpose of distributing malware.
TTPs and Attack Methodology
Attack chains include using Signal and WhatsApp as vectors, with the threat actors masquerading as charity organizations to convince targets into clicking on a seemingly-harmless link ("harthulp-ua[.]com" or "solidarity-help[.]org") impersonating the foundation and download a password-protected archive.
The archives contain an executable created with PyInstaller that ultimately led to the deployment of PLUGGYAPE. CERT-UA said successive iterations of the backdoor have added obfuscation and anti-analysis checks to prevent the artifacts from being executed in a virtual environment, which makes dynamic analysis harder.
Hashes and IOCs
No current know hashes but several files are used, such as:
Orca C2 Command and Control Framework
aUKR[.]net links to VDI files
rentry[.]co links
pastebin[.]co links
SMS links from harthulp-ua[.]com or solidarity-help[.]org
Other information will be updated to the site as it is forthcoming.
PLUGGYAPE is a sophisticated Python-based backdoor malware used in cyberespionage campaigns primarily targeting Ukrainian defense forces, with significant activity reported between October 2025 and January 2026. The malware is linked with medium confidence to the Russian-linked threat group Void Blizzard (also known as Laundry Bear or UAC-0190). It operates as a RAT (Remote Access Trojan), enabling attackers to profile infected systems, steal sensitive data, and execute arbitrary code. It was developed in Python and frequently deployed as a PyInstaller executable. It uses WebSockets or the MQTT protocol to connect to command-and-control (C2) servers, which are obfuscated using encoding base64 as well as masking technique similar to fast-fluxing.