Researchers have identified a suspected Russian espionage campaign targeting Ukraine that uses two previously undocumented malware strains, according to a new report.

The operation begins with a phishing email with a link to a ZIP archive containing a malicious document written in Ukrainian that appears to grant a permit for crossing a Ukrainian border checkpoint, researchers at cybersecurity firm ClearSky said.

Opening the archive triggers the download of a malware loader dubbed BadPaw, which then installs a second tool called MeowMeow, a sophisticated backdoor that allows attackers to access infected systems and manipulate files stored locally.

According to ClearSky, the backdoor can check whether specific files exist on a device and can read, write or delete data on the compromised machine.

Both malware strains include mechanisms designed to evade detection. The MeowMeow backdoor scans infected systems for signs of virtual machines and common cybersecurity analysis tools, automatically terminating itself if it detects a research or sandbox environment.

ClearSky attributed the campaign with high confidence to a Russian state-aligned threat actor and with low confidence to the hacking group APT28, also referred to as Fancy Bear, BlueDelta or Forest Blizzard.

“The focus on Ukrainian entities, combined with the geopolitical nature of the lure, aligns with Russian strategic objectives,” the researchers said.

The phishing emails were sent from addresses hosted by ukr.net, a widely used Ukrainian email service that researchers said has been used in previous campaigns linked to APT28 to harvest credentials and collect intelligence.

The report did not identify the targets of the campaign or say whether the attacks were successful.

Widely believed to be linked to Russia’s military intelligence agency, APT28 has previously conducted cyber-espionage and credential-harvesting operations against government agencies, defense contractors, weapons suppliers and logistics firms.

Earlier this week, Ukraine’s computer emergency response team, CERT-UA, reported a separate hacking campaign targeting Ukrainian government institutions using ShadowSniff and SalatStealer information-stealing malware. The agency attributed the activity to a threat actor tracked as UAC-0252.