BLUF

 A Russian-nexus APT group, Void Blizzard (UAC-0190), targeted Ukrainian defense officials with a backdoor malware called PluggyApe, using charity themes as a lure via Signal and WhatsApp.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by PluggyApe backdoor malware delivered via trusted messaging platforms and social engineering lures:

Low-end total cost: $750,000 – $1.5 million

(single-digit infections, rapid detection, limited operational disruption)

Typical expected range: $1.5 million – $3.5 million

(multiple endpoints affected, precautionary network isolation, extended monitoring)

Upper-bound realistic scenarios: $3.5 million – $7.0 million

(sensitive systems involved, regulatory scrutiny, prolonged assurance efforts)

Key Cost Drivers

·       Number of endpoints requiring forensic validation and reimaging

·       Duration of operational slowdown driven by security assurance requirements

·       Sensitivity of accessed systems or communications

·       Scope of regulatory reporting and oversight engagement

·       Insurance exclusions or increased post-incident premiums

Potential Affected Sectors

·       Military

·       Government

·       Defense organizations

Potential Affected Countries

·       Ukraine primarily

·       Potentially other Eastern European targets

Date of First Reported Activity

·       Publicly reported on January 13, 2026.

Date of Last Reported Activity Update

·       January 14, 2026

CVEs and CVSS Vectors

·       There are no CVEs associated with this campaign at this time

Nessus ID

·       Not applicable

Is this on the KEV list

·       Not applicable at this time

Mitigation Data

·       Focus on user awareness training and network detection

APT Names

·       Void Blizzard

o   Laundry Bear

o   UAC-0190

Associated Criminal Organization Names

·       Not applicable

IOCs

As a reminder the heuristic behavior of the malware should be what is hunted on. hashes, domains, etc. tend to be dynamic and will usually be different for each target, attack and can be different within the same attack

Network Indicators

Malicious Domains (Phishing Lures)

·       harthulp-ua[.]com

·       solidarity-help[.]org

External Data Sources (C2 Retrieval):

·       rentry[.]co (used to store base64-encoded C2 addresses)

·       pastebin[.]com (used to store base64-encoded C2 addresses)

C2 Protocols

·       WebSocket and MQTT (Message Queuing Telemetry Transport) are used for command-and-control communication.

Host Indicators

File Extensions:

·       .docx.pif (Malicious Program Information Files)

·       .pdf.exe (Used in earlier versions of the loader)

Persistence Mechanism

Modification of the Windows Registry to ensure the backdoor executes upon system startup.

Payload Characteristics:

·       The primary payload is a PyInstaller-based executable.

·       PluggyApe Version 2 (observed in December 2025) includes advanced obfuscation and anti-analysis checks to detect virtual environments.

Tools Used in Campaign

·       Signal

·       WhatsApp (for communication/delivery)

·       PluggyApe malware.

TTPs

Initial Access

·       T1566.003 Phishing

o   Spearphishing Service: Attackers use messaging apps like Signal and WhatsApp, masquerading as charitable organizations, to send malicious links.

·       T1204.001 User Execution

o   Malicious Link: Targets are enticed to click on charity-themed URLs (e.g., solidarity-help[.]org) to download malicious archives.

Execution

·       T1059.006 Command and Scripting Interpreter

o   Python: The malware is written in Python and often distributed as a PyInstaller-compiled executable.

·       T1204.002 User Execution Malicious File

o   Payloads are delivered via password-protected archives containing executable files disguised as legitimate documents (e.g., using .pdf.exe or .pif extensions).

Persistence

·       T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

o   PluggyApe maintains its presence on the host by modifying Windows Registry entries.

·       Defense Evasion

·       T1027 Obfuscated Files or Information

o   The malware uses base64-encoded strings and enhanced obfuscation in its second version to hide command-and-control (C2) addresses and internal logic.

·       T1497 Virtualization/Sandbox Evasion

o   Newer variants (Version 2) include anti-analysis checks specifically designed to prevent execution in virtual environments.

Discovery

·       T1082 System Information Discovery

o   Upon infection, the backdoor profiles the host system and generates a unique victim identifier.

Command and Control

·       T1102.001 Web Service: Dead Drop Resolver

o   PluggyApe retrieves its C2 server addresses from external services like Rentry.co and Pastebin.com.

·       T1071.001 Application Layer Protocol

o   Web Protocols: Uses WebSockets for initial versions of the backdoor communication.

·       T1071.004 Application Layer Protocol

o   DNS/MQTT: Version 2 (released December 2025) added support for the MQTT protocol for more flexible and stealthy communication.

Malware Names

·       PluggyApe (backdoor malware)

Malware Samples

sha256

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Known Decoding Key

·       76D55BD2F3124EDD

URL link to sample

·       hxxps://www.virustotal.com/gui/file/0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Malware Family

CovalentStealer

Verdict:

Malicious (Custom Exfiltration Tool).

Primary Objective

·       Identification

·       Categorization

·       Exfiltration of sensitive documents to cloud storage

Threat Actor Context

·       Used by Advanced Persistent Threat (APT) actors to compromise Defense Industrial Base (DIB) sector organizations

Behavioral Analysis (Dynamic)

Execution

·       Decoded and Launched

o   This sample is an obfuscated file typically decoded by a loader (e.g., ntstatus.exe) using a specific key.

Discovery

·       File & Share Enumeration

o   Identifies local file shares and categorizes documents based on predetermined configuration paths.

Collection

·       Data Staging

o   Targets specific document types and user documents, often using stolen credentials for access.

Exfiltration

·       Cloud Upload

o   Collected files are encrypted with 256-bit AES and uploaded to a Microsoft OneDrive cloud folder.

Suggested Rules/ potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Detect outbound MQTT traffic to unusual or non-standard ports, which PluggyApe version 2 uses for command execution.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE PluggyApe V2 MQTT C2 Heartbeat"; flow:established,to_server; content:"|10|"; depth:1; content:"MQTT"; offset:4; depth:4; classtype:trojan-activity; sid:2026001; rev:1;)

PluggyApe fetches base64-encoded C2 addresses from rentry.co or pastebin.com.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE PluggyApe IOC Retrieval (Rentry/Pastebin)"; flow:established,to_server; content:"rentry.co"; http_host; content:"pastebin.com"; http_host; pcre:"/\/(?:raw\/)?[a-zA-Z0-9]{8,12}$/U"; classtype:trojan-activity; sid:2026002; rev:1;)

SentinelOne

Detect the launch of PyInstaller-created PIF files, which the malware uses as loaders.

ProcessName matches ".*\.pif$" AND (CommandArgs contains "PyInstaller" OR Description contains "Python")

Search for common persistence mechanisms in the Windows Registry.

ObjectType = "Registry" AND (RegistryPath contains "Software\Microsoft\Windows\CurrentVersion\Run") AND (RegistryValue contains "PluggyApe" OR RegistryValue matches ".*\.pif$")

Splunk

Identify when a PIF file is created in a user directory (e.g., Downloads or AppData).

spl

index=windows sourcetype=WinEventLog:Security EventCode=11 (TargetFilename="*.pif" OR TargetFilename="*.pdf.exe")

| stats count by TargetFilename, user, host

Base64 Encoded Network Requests: Search for suspicious network requests to known external hosting sites used for C2 retrieval.

index=proxy (url="*rentry.co*" OR url="*pastebin.com*")

| rex field=url "(?<encoded_data>[a-zA-Z0-9+/=]{20,})"

| where isnotnull(encoded_data)

| stats count by url, src_ip, dest_ip

Identify Host Profiling: Look for repeated execution of system profiling tools (e.g., systeminfo, whoami, ipconfig) by the same process within a short timeframe.

index=endpoint sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1

| bin _time span=5m

| stats dc(process_name) as distinct_tools values(process_name) as tools by ParentProcessId, host

| where distinct_tools > 3 AND (tools="systeminfo.exe" AND tools="whoami.exe" AND tools="ipconfig.exe")

Delivery Method

Social engineering via messaging platforms (Signal, WhatsApp) using charity lures.

Email Samples

·       Not applicable

URL References

Bleeping Computer

·       hxxps://www.bleepingcomputer.com/news/security/ukraines-army-targeted-in-new-charity-themed-malware-campaign

The Hacker News

·       hxxps://thehackernews.com/2026/01/pluggyape-malware-uses-signal-and.html

VirusTotal

·       hxxps://www.virustotal.com/gui/file/0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

NerdCore Computers

·       hxxps://www.1300nerdcore.com.au/post/ukraine-s-military-targeted-in-a-new-charity-themed-malware-campaign

TrendMicro

·       hxxps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.plugx.eysgvm