Kremlin-linked hackers pose as charities to spy on Ukraine’s military

Hackers linked to the Kremlin have launched a new cyber-espionage campaign targeting Ukraine’s military personnel by posing as charitable organizations, researchers said.

In a report released on Monday, Ukraine’s computer emergency response team, CERT-UA, said the attacks took place between October and December 2025 and targeted representatives of Ukraine’s Defense Forces. The operations were carried out using a previously undocumented malware strain known as PluggyApe.

The activity was attributed to Void Blizzard, also tracked as Laundry Bear and internally designated by Ukrainian authorities as UAC-0190. The relatively new state-backed espionage group operates in support of Russian government interests, targeting government, defense, transportation, media, non-governmental organizations and healthcare sectors in Europe and North America.

According to CERT-UA, attackers contacted their targets via messaging applications, urging them to visit websites impersonating charitable foundations. Victims were then prompted to download what appeared to be documents but were, in fact, executable files, often packaged in password-protected archives. In some cases, the malicious files were sent directly through messaging apps.

CERT-UA shared screenshots showing attackers using Signal and WhatsApp to communicate with victims. Ukrainian officials have previously warned that Russian state-backed hackers are increasingly abusing Signal to deliver malware targeting government and military personnel.

The group first deployed an early version of the PluggyApe backdoor in October. By December, the malware had been upgraded with additional features designed to evade detection and complicate analysis. Once installed, PluggyApe allows attackers to establish persistent remote access to infected systems and execute additional commands.

Ukrainian officials said the campaign reflects a broader shift in Russia-linked cyber operations, with attackers increasingly relying on trusted communication channels and highly tailored lures rather than mass phishing emails. 

Initial contact is now often made through legitimate accounts and Ukrainian phone numbers, with attackers speaking Ukrainian, placing audio or video calls and demonstrating detailed knowledge of their targets and their organizations.

“Widely used messaging applications installed on mobile devices and personal computers are de facto becoming the most common delivery channel for malware,” CERT-UA said.