Russian APT targets Ukraine with BadPaw and MeowMeow malware

Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails.

Researchers reported a phishing campaign linked to Russia that targets Ukrainian organizations using two new malware families, BadPaw and MeowMeow. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.

“The attack chain initiates with a phishing email containing a link to a ZIP archive. Once
extracted, an initial HTA file displays a lure document written in Ukrainian concerning border
crossing appeals to deceive the victim.” reads the report published by ClearSky. “Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor.”

Researchers found that both malware strains use the .NET Reactor packer to make the analysis and reverse engineering harder, showing the attackers’ intent to evade detection and maintain long-term persistence.

“An additional layer of defense employed by BadPaw is the use of .NET Reactor, a commercial protection and obfuscation tool for .NET assemblies. This packer obfuscates the underlying code to hinder static analysis and reverse engineering.” continues the report.

The malware also includes multiple defense mechanisms. Its components stay inactive unless launched with specific parameters, otherwise displaying a benign interface and executing harmless code.

The MeowMeow backdoor adds environmental checks, scanning systems for virtual machines and analysis tools such as Wireshark, ProcMon, and Fiddler. If it detects a sandbox or research environment, it immediately stops execution to avoid investigation.

Researchers at ClearSky attribute the campaign with high confidence to a Russia-linked cyberespionage group and with lower confidence to the threat actor APT28. Their assessment relies on three factors: the targeting of Ukrainian entities, Russian-language artifacts in the code, and tactics consistent with previous Russian cyber operations, including multi-stage infection chains and .NET-based loaders.

In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy a sophisticated backdoor called MeowMeow.

The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28, based on the targeting footprint, the geopolitical nature of the lures used, and overlaps with techniques observed in previous Russian cyber operations. 

ClearSky’s research details outline a multi-stage infection chain beginning with a phishing email sent via the Ukrainian provider ukr[.]net, a service previously abused in Russian campaigns. The email contains a link that first loads a tracking pixel to notify attackers when a victim clicks, then redirects to a shortened URL that downloads a ZIP archive.

Inside the archive is a disguised HTA file posing as an HTML document. When executed, it opens a decoy document about a Ukrainian border-crossing appeal while silently launching the malicious routine. The HTA performs anti-analysis checks by verifying the system’s installation date and aborting execution on recently installed systems, a common sandbox-evasion tactic.

“The dropped decoy document serves as a social engineering tactic, presenting a confirmation of receipt for a government appeal regarding a Ukrainian border crossing. This lure is intended to maintain the veneer of legitimacy while the HTA file executes its secondary stages in the background.” continues the report. “To evade detection and identify potential sandbox environments, the HTA file performs an environmental check by inspecting the following Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate By querying this value, the malware calculates the “age” of the operating system. If the system was installed less than ten days prior to execution, the malware terminates. This is a common anti-analysis technique used to avoid execution on freshly provisioned virtual machines or automated analysis sandboxes”

If conditions are met, it searches for the original archive, extracts additional components, and establishes persistence through a scheduled task. A VBS script then retrieves hidden payload data embedded within an image using steganography, extracting a PE file that researchers identified as the BadPaw loader, which ultimately deploys the MeowMeow backdoor and establishes command-and-control communication.

Researchers found Russian-language strings in the malware code, including one indicating the time needed to reach an operational state. These artifacts suggest a Russian origin and may reflect an OPSEC mistake or leftover development elements not adapted for Ukrainian targets.

“The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security (OPSEC) error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian development artifacts within the code during the malware’s production phase.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MeowMeow malware)