Charity or Chicanery? Russian Hackers Masquerade as Humanitarians to Target Ukraine’s Military

Late last year, some members of Ukraine’s military received a message that seemed innocuous - an invitation to join a charitable initiative supporting the war effort. But behind the digital façade lurked a sophisticated Russian espionage group, wielding new malware and exploiting the trust built through everyday communication apps. The operation, uncovered by Ukraine’s CERT-UA, reveals a chilling evolution in state-sponsored cyberwarfare - one where the line between humanitarian aid and hostile intent is deliberately blurred.

Fast Facts

• Kremlin-backed hackers posed as charities to target Ukrainian military between October–December 2025.
• The campaign used previously unknown malware, dubbed PluggyApe, to gain persistent remote access.
• Attackers contacted victims via trusted messaging apps like Signal and WhatsApp in Ukrainian.
• The espionage group, Void Blizzard (aka Laundry Bear/UAC-0190), is linked to Russian state interests.
• Fake charity sites and tailored lures replaced traditional mass phishing tactics.

According to CERT-UA, the hackers - part of a group known as Void Blizzard - crafted highly convincing social engineering attacks targeting Ukraine’s Defense Forces. Disguised as representatives of charitable organizations, the attackers reached out via popular messaging apps, including Signal and WhatsApp. By mimicking the language, mannerisms, and even the phone numbers of legitimate Ukrainian organizations, they built trust with their targets. In some cases, attackers went so far as to place audio or video calls, demonstrating detailed knowledge of their victims’ roles and units.

The next step was the bait: links to websites purporting to be charitable foundations. Victims, believing they were downloading helpful documents, instead received password-protected archives containing malicious files. Sometimes, the malware came directly through the chat apps themselves. The payload was PluggyApe - a backdoor program previously unseen in the wild. Initial versions surfaced in October, but by December, PluggyApe had evolved with enhanced features to evade detection and confound analysts.

Once installed, PluggyApe granted the attackers persistent, stealthy access to the infected systems. They could issue commands remotely, monitor activity, and potentially exfiltrate sensitive military intelligence. This operation marks a significant tactical shift: rather than casting a wide net with mass phishing emails, Russian-linked hackers are now leveraging trusted, one-on-one communications to deliver their payloads. The use of everyday messaging apps - ubiquitous on personal and official devices - makes these attacks harder to spot and stop.

Ukrainian officials warn that such tactics are likely to proliferate, as adversaries exploit the blurred boundaries between personal and professional digital spaces. The PluggyApe campaign is a stark reminder: in today’s cyber conflict, even an offer of charity can be a weapon.

WIKICROOK

• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Social engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Payload: A payload is the harmful part of a cyberattack, like a virus or spyware, delivered through malicious emails or files when a victim interacts with them.
• Password: A password is a secret word or code used to confirm your identity online and protect your accounts from unauthorized access.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.

As digital battle lines shift, Ukraine’s defenders must now scrutinize even the most benevolent-seeming messages. The PluggyApe campaign is a warning to organizations worldwide: in the age of hybrid warfare, trust is the new attack surface - and it’s under siege.