PLUGGYAPE Malware Leverages Signal and WhatsApp to Target Ukrainian Defense

PLUGGYAPE Malware Uses Signal and WhatsApp to Target Ukrainian Defense Forces

CERT-UA has documented ongoing attacks since October 2025, employing PLUGGYAPE malware against Ukrainian defense forces, delivered via Signal and WhatsApp phishing campaigns. The malware, attributed to Void Blizzard (UAC-0190), utilizes evolving backdoors written in Python to establish command and control.

Why This Matters

Traditional security models assume perimeter defense and signature-based detection; however, attackers are increasingly exploiting trusted communication channels like Signal and WhatsApp to bypass these defenses. The cost of successful breaches in critical infrastructure, such as defense networks, can range from data exfiltration and disruption of services to significant geopolitical consequences, highlighting the need for advanced threat detection and response capabilities.

Key Insights

• Void Blizzard Activity: Russian hacking group active since at least April 2024.
• Evolving Backdoors: PLUGGYAPE adds obfuscation and anti-analysis checks to evade detection.
• C2 Infrastructure: Attackers use paste services like rentry[.]co and pastebin[.]com for command and control resilience.

Working Example

(No code provided in the source text)

Practical Applications

• Use Case: Ukrainian defense forces receive seemingly legitimate messages on Signal/WhatsApp containing links to malware-laden archives.
• Pitfall: Relying solely on email security solutions; attackers are shifting to encrypted messaging apps, requiring broader threat detection strategies.

References:

• https://thehackernews.com/2026/01/pluggyape-malware-uses-signal-and.html