In a CERT-UA advisory the agency said that between October and December 2025 Ukrainian defense forces were targeted with a Python backdoor named PLUGGYAPE that can execute commands over WebSocket or MQTT.
KEY FACTS
- Incident PLUGGYAPE backdoor deployed against Ukrainian defense forces
- Timeline October to December 2025
- Delivery Links sent via Signal and WhatsApp disguised as charity communications
- Capabilities Remote code execution using WebSocket or MQTT
Attack chains used messages on Signal and WhatsApp with Ukrainian language and apparent local mobile accounts to persuade targets to download password protected archives from sites impersonating aid organizations.
The archives contained an executable packaged with PyInstaller that installed the PLUGGYAPE backdoor. Successive malware iterations increased obfuscation and added anti analysis checks to hinder execution in virtual environments.
PLUGGYAPE is written in Python and establishes command and control over WebSocket or MQTT. MQTT support was added in December 2025. Command and control addresses were retrieved from paste services where they were stored in base64 instead of being hard coded.
Separate clusters delivered a Go based stealer called FILEMESS via VHD phishing and used an open source C2 framework named OrcaC2. Another campaign used ZIP archives with LNK shortcuts that launched HTA and PowerShell to deploy LaZagne and a Go backdoor called GAMYBEAR.
WHY IT MATTERS
Use of widely used messaging apps and legitimate looking accounts increases the effectiveness of social engineering and complicates detection. Modular communication methods and externally hosted C2 information make the activity resilient to infrastructure takedowns.