Ukraine's Defense Forces were targeted by a charity-themed malware campaign from October to December 2025, involving backdoor malware known as PluggyApe. The Ukrainian Computer Emergency Response Team (CERT-UA) suspects the Russian threat groups Void Blizzard and Laundry Bear are behind these attacks, although they express medium confidence in this attribution. Laundry Bear previously breached the Dutch police's internal systems in 2024, highlighting their focus on NATO member states and operations aligned with Russian strategic interests. The attacks typically begin with instant messages sent through Signal or WhatsApp, directing recipients to a website that appears to belong to a charitable organization. Victims are prompted to download a password-protected archive that instead contains malicious executable files disguised with a .docx.pif extension. PluggyApe collects information from the infected host and maintains persistence by modifying the Windows Registry. This version of the malware has improved obfuscation and communication methods, leveraging base64-encoded command-and-control addresses sourced from external sites like rentry.co and pastebin.com. CERT-UA warns that mobile devices are particularly vulnerable in these attacks due to their relative lack of protection. Attackers enhance their deception by using legitimate accounts, phone numbers of Ukrainian telecom operators, and communicating in Ukrainian, which can make their approach seem credible. The report includes a comprehensive list of indicators of compromise (IoCs), detailing deceptive websites masquerading as charity portals to help organizations identify and mitigate risks associated with this campaign.