Kremlin-linked hackers pose as charities to spy on Ukraine’s military

Steven

Kremlin-linked hackers pose as charities to spy on Ukraine’s military

Summary

Researchers and Ukraine’s CERT‑UA say Kremlin‑linked operators ran a targeted cyber‑espionage campaign from October to December 2025 that impersonated charitable organisations to compromise Ukrainian defence personnel. The attackers used messaging apps (Signal, WhatsApp) and convincing, tailored contact to lure victims into downloading what seemed like documents but were executables, often hidden in password‑protected archives. The malware, a previously undocumented backdoor named PluggyApe, was rapidly upgraded to provide persistence, stealth and remote access. CERT‑UA attributes the activity to the state‑backed group Void Blizzard (aka Laundry Bear, UAC‑0190).

Key Points

  • Campaign timeframe: October–December 2025, targeting members of Ukraine’s Defence Forces.
  • Malware: a new backdoor called PluggyApe, upgraded during the campaign to evade detection and enable persistent access.
  • Attribution: void Blizzard / Laundry Bear (UAC‑0190), a Russian state‑linked espionage group.
  • Delivery vector: messaging apps (Signal, WhatsApp) and impersonation of charitable organisations; files disguised as documents or sent directly via messaging.
  • Social engineering: highly tailored contacts using legitimate accounts, Ukrainian phone numbers, language and even audio/video calls to build trust.
  • Trend: shift from mass phishing to trusted‑channel, bespoke lures that complicate detection and response.

Context and relevance

This campaign fits a broader pattern of Russia‑linked actors focusing on targeted espionage against government, defence, media, transport and healthcare sectors across Europe and North America. The use of popular encrypted messaging apps as primary delivery channels signals an operational shift: attackers increasingly exploit trusted communication paths and social engineering rather than broad email phishing. For security teams and defence organisations this raises operational security (OPSEC) concerns — personal devices and messaging apps are now frontline attack surfaces.

Why should I read this

Because it’s a quick window into how nasty actors are getting smarter: they pretend to be charities, use Signal and WhatsApp like normal people, and sneak in a new backdoor. If you work in cyber or defence — or rely on messaging apps for work — you’ll want the practical takeaways here.

Author note

Punchy: This is high‑importance intel. The tactics are precise and evolving — worth reading in full if you handle security, comms or defence planning. The detail matters for detection, user training and incident response.

Source

Source: https://therecord.media/kremlin-linked-hackers-pose-as-charities-spy-ukraine