UAC-0190 Attack Detection: Fake Charity Lures Used to Deploy the PLUGGYAPE Backdoor Against the Ukrainian Armed Forces

CERT‑UA disclosed a targeted cyber‑espionage campaign (Oct–Dec 2025) attributed to the Russia‑aligned UAC‑0190 / Void Blizzard (Laundry Bear) that used charity‑themed social engineering over Signal/WhatsApp to trick Ukrainian Armed Forces personnel into running malicious executables (notably PyInstaller‑packed .pif/.exe masquerading as documents). The attackers deployed the PLUGGYAPE backdoor — later upgraded to PLUGGYAPE.V2 with MQTT command‑and‑control and anti‑analysis checks — and SOC Prime published detection rules and MITRE ATT&CK mappings to help defenders hunt and detect the activity.