VulnHub

Real-time Cybersecurity News

PLUGGYAPE Malware Uses Signal and WhatsApp to Target Ukrainian Defense Forces

The Hacker News
Actively Exploited
Malware

Overview

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of cyber attacks targeting Ukrainian defense forces using a malware called PLUGGYAPE. These attacks occurred between October and December 2025 and have been linked to a Russian hacking group known as Void Blizzard. This group, also referred to as Laundry Bear or UAC-0190, has been active for several years. The use of popular messaging platforms like Signal and WhatsApp suggests that attackers are exploiting familiar tools to deliver their malware, making detection and prevention more challenging. This incident raises concerns about the cybersecurity of military organizations, especially in conflict zones, where the integrity of communications is crucial.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Ukrainian defense forces, Signal, WhatsApp
  • Action Required: Users should implement security best practices such as updating all software, using strong, unique passwords, and enabling two-factor authentication on messaging apps.
  • Timeline: Newly disclosed

Original Article Summary

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025. The activity has been attributed with medium confidence to a Russian hacking group tracked as Void Blizzard (aka Laundry Bear or UAC-0190). The threat actor is believed to be active since at least

Impact

Ukrainian defense forces, Signal, WhatsApp

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Users should implement security best practices such as updating all software, using strong, unique passwords, and enabling two-factor authentication on messaging apps.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Malware.

Read Original Article

Related Coverage

Underground guide reveals how threat actors vet stolen credit card markets

SCM feed for Latest

A newly released underground guide reveals insights into how cybercriminals assess and engage in the stolen credit card market. Rather than simply using stolen credit cards, the guide emphasizes a systematic approach where fraudsters carefully vet their suppliers. This shift indicates a more organized and methodical operation within the realm of credit card fraud. The implications are significant, as it suggests that attackers are becoming more sophisticated, which could lead to an increase in successful fraud attempts. As a result, consumers and financial institutions may face heightened risks as these organized networks operate more effectively.

Apr 17, 2026

DraftKings hacker sentenced to 30 months for credential stuffing scheme

SCM feed for Latest

In November 2022, a group of hackers executed a credential stuffing attack against DraftKings, using stolen usernames and passwords sourced from the dark web. This method allowed them to gain unauthorized access to numerous user accounts, compromising sensitive information for many customers. The incident culminated in a legal case where one of the attackers was sentenced to 30 months in prison. This case serves as a reminder of the dangers of reusing passwords across different platforms, as it can make users vulnerable to such attacks. Companies like DraftKings must ensure robust security measures are in place to protect user data from similar threats in the future.

Apr 17, 2026

New ZionSiphon malware targets Israeli water systems

SCM feed for Latest

A new malware strain called ZionSiphon has been identified targeting water systems in Israel. According to a report by Darktrace, ZionSiphon uses several common cyberattack techniques, including privilege escalation and persistence mechanisms, allowing it to remain on infected systems. It can also propagate through removable media, which raises concerns about its ability to spread across different devices. This development is particularly alarming given the critical nature of water systems and the potential for significant disruption. Security experts are urging organizations, especially those in critical infrastructure, to remain vigilant and enhance their cybersecurity measures to defend against this type of threat.

Apr 17, 2026

Operation PowerOFF dismantles DDoS-for-hire services, nabs suspects

SCM feed for Latest

Operation PowerOFF has successfully disrupted several 'booter' services that allow users to pay for launching distributed denial-of-service (DDoS) attacks. These services have been a growing concern as they enable individuals to easily target websites and online services, causing disruptions and potential financial losses. Law enforcement agencies coordinated efforts to take down these operations, leading to multiple arrests. This crackdown is significant as it aims to reduce the accessibility of DDoS attack tools, which can affect various online services and users. The operation highlights the ongoing battle against cybercrime and the need for continued vigilance in cybersecurity.

Apr 17, 2026

Dutch Navy warship tracked via Bluetooth device sent through mail

SCM feed for Latest

A Dutch Navy warship was tracked using a Bluetooth device that was mailed to a deployed service member. Journalist Just Vervaart obtained publicly available instructions from the Dutch Ministry of Defence regarding how to send mail to those in the field. The incident raises serious concerns about the security of military assets, as the Bluetooth device allowed for real-time tracking of the vessel's location. This situation highlights vulnerabilities in military communications and logistics, which could be exploited by adversaries. The implications of such tracking could endanger the safety of personnel and compromise operational security.

Apr 17, 2026

Kyrgyzstan-based crypto exchange Grinex shuts down after $13.7M cyber heist, blames Western Intelligence

Security Affairs

Grinex, a cryptocurrency exchange based in Kyrgyzstan, has suspended its operations after a significant cyber attack resulted in the theft of $13.7 million. The company claims that the attackers are linked to Western intelligence agencies, and the stolen funds primarily belonged to Russian users of the platform. This incident raises serious concerns about the security of cryptocurrency exchanges and the potential for state-sponsored cyber activities targeting financial platforms. With the growing popularity of cryptocurrencies, such breaches could erode user trust and prompt regulatory scrutiny. The fallout from this attack may have ripple effects across the crypto market, especially for exchanges operating in regions with geopolitical tensions.

Apr 17, 2026