PLUGGYAPE

PluggyApe is a Python-based backdoor used in targeted cyber-espionage campaigns against Ukraine’s Defense Forces between October and December 2025. CERT-UA attributed the activity with medium confidence to the Russian-aligned threat actor tracked as UAC-0190, also known as Void Blizzard and Laundry Bear. Delivery relied on social engineering via Signal and WhatsApp, including charity-themed lures, fake charitable-foundation websites, direct file sharing in chat, password-protected archives, and deceptive double-extension executables such as .docx.pif and earlier .pdf.exe loaders. In multiple cases the payload was packaged with PyInstaller.

Once executed, PluggyApe installs a persistent backdoor that provides remote access to the infected Windows system. Reported capabilities include host profiling, generation of a unique victim or device identifier using hardware/system attributes hashed with SHA-256, remote command or arbitrary code execution, and data exfiltration. Persistence is established through Windows Registry Run-key modification; CERT-UA specifically reported HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the value name RealtekDevice. PluggyApe communicates with command infrastructure over WebSocket and/or MQTT and exchanges data in JSON format.

The malware evolved during the campaign. Early October 2025 activity used a loader that downloaded a Python interpreter and an early PluggyApe script from Pastebin. By December 2025, an improved obfuscated variant, PLUGGYAPE.V2, was observed using MQTT, enhanced obfuscation, and anti-analysis checks including virtual-machine detection. Later variants also improved operational resilience by retrieving Base64-encoded C2 addresses from public paste services such as pastebin.com and rentry.co instead of relying only on hardcoded infrastructure.

High-confidence infrastructure and artifacts directly mentioned in the content include C2 IPs 193.23.216.39, 108.165.164.155, and 176.9.23.216; related endpoints tcp://193.23.216.39:8765, tcp://193.23.216.39:1883, tcp://108.165.164.155:1883, and tcp://176.9.23.216:1883; additional related infrastructure 144.31.25.203, 144.31.106.23, and 144.31.25.222; themed or attacker-controlled domains saint-daniel.org, saint-daniel.world, hart-hulp-ua.com, harthulp-ua.com, solidarity-help.com, and solidarity-help.org; public resources including pastebin.com raw URLs, ghostbin.axel.org, and rentry.co/MicrosoftAdvertisingEndpoint; lure filenames such as Drone positions in warehouse 1 (Suceava).pdf.exe, Warehouse positions 1 (Chisinau).pdf.exe, Warehouse positions 1 (Lodz).pdf.exe, Zverninya.docx.exe, Inventory_list.docx.pif, Inventory List.dоcх.pif, Inventory_list.docx (1).pif, blank_zvernenya.docx.pif, and Inventory_list_new.docx.pif; PluggyApe-related Python files qAKhdTLq.py, main.py, Inventory_list.docx.pif.py, xy359.py, o.d.f.a.d.g.j.k.l.f.s.f.d.d.a.py, and code.py; and host artifacts %TMP%\main.py, %TMP%\o.d.f.a.d.g.j.k.l.f.s.f.d.d.a.py, and the PDB path C:\Users\User\source\repos\MolineRebuild\x64\Release\MolineRebuild.pdb.