APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine

Russian Hackers Target Ukraine with New Malware “BadPaw” and “MeowMeow” in Sophisticated Phishing Campaign

In a chilling reminder of the escalating cyber warfare between Russia and Ukraine, cybersecurity researchers have uncovered a new espionage campaign leveraging two previously undocumented malware families—BadPaw and MeowMeow. This operation, attributed to the notorious Russian state-sponsored group APT28, marks another chapter in the ongoing digital battlefield that has accompanied the physical conflict in Eastern Europe.

The attack begins with a carefully crafted phishing email sent from a Ukrainian domain (ukr[.]net), designed to establish credibility and lure unsuspecting victims. The email contains a link to what appears to be a legitimate ZIP archive. However, this archive is the gateway to a sophisticated multi-stage attack that demonstrates the evolving sophistication of Russian cyber operations.

Once the victim clicks the link, they’re first redirected to a tiny tracking pixel—an “exceptionally small image” that serves as a digital beacon, alerting the attackers that their bait has been taken. Only then are they redirected to download the actual ZIP file. This two-step redirection process is a clever evasion technique that helps the attackers confirm successful initial engagement before proceeding.

Inside the ZIP archive lies an HTML Application (HTA) file that serves as the attack’s primary payload delivery mechanism. When executed, this HTA file performs multiple functions simultaneously—a hallmark of advanced persistent threat operations. On the surface, it displays a decoy document written in Ukrainian about border crossing appeals, creating a veneer of legitimacy that could fool even cautious users.

However, while the victim is distracted by this legitimate-looking document, the HTA is executing a series of malicious operations in the background. The malware performs environment checks by querying the Windows Registry for the “InstallDate” key, calculating how long the operating system has been installed. If the system appears to be less than ten days old—a common characteristic of sandbox environments—the malware aborts execution, demonstrating sophisticated sandbox evasion capabilities.

For systems that pass these checks, the HTA extracts two additional files from the archive: a Visual Basic Script (VBScript) and a PNG image. The VBScript is then scheduled to run persistently on the infected system, ensuring the malware maintains its foothold even after reboots.

The PNG image contains the first major malware component: BadPaw, a .NET-based loader that represents a significant advancement in Russian cyber capabilities. What makes BadPaw particularly interesting is its dual nature. When executed independently, it displays a graphical user interface featuring a picture of a cat—a clever decoy that aligns with the visual theme of the initial PNG image. Clicking the “MeowMeow” button in this interface produces a playful “Meow Meow Meow” message, performing no malicious actions.

This decoy functionality serves a critical purpose: it misleads manual analysts who might be examining the malware in isolation. Only when BadPaw is executed with the specific “-v” parameter, as part of the complete attack chain, does it reveal its true nature and begin communicating with command-and-control servers to download additional components.

The final payload in this attack chain is MeowMeow, a sophisticated backdoor that transforms the infected system into a remotely accessible espionage platform. MeowMeow conducts its own environment checks, ensuring it’s running on a legitimate endpoint rather than a sandbox, and verifying that forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler aren’t active.

Once established, MeowMeow provides the attackers with comprehensive remote access capabilities. The backdoor can execute PowerShell commands on the compromised host, giving attackers the ability to run arbitrary code, manipulate system settings, and deploy additional tools. It also supports complete file system operations, including reading, writing, and deleting data—effectively granting the attackers full control over the victim’s digital environment.

The sophistication of this campaign is further evidenced by the discovery of Russian language strings within the MeowMeow source code. According to ClearSky researchers, these strings could indicate either an operational security oversight—failing to localize the code for Ukrainian targets—or the inadvertent inclusion of Russian development artifacts during the malware’s production phase.

This attribution to APT28 carries significant weight, given the group’s history of targeting Ukrainian infrastructure and its alignment with Russian state interests. The use of Ukrainian-themed lures, the targeting footprint, and the technical sophistication all point to a campaign designed to support Russian intelligence-gathering efforts in the region.

The emergence of BadPaw and MeowMeow represents a concerning evolution in Russian cyber capabilities. These aren’t repurposed or modified versions of existing malware but rather purpose-built tools designed specifically for this campaign. Their successful deployment suggests that Russian threat actors continue to invest heavily in developing new capabilities to support their strategic objectives.

For organizations in Ukraine and beyond, this campaign serves as a stark reminder of the persistent threat posed by state-sponsored actors. The combination of social engineering, sophisticated evasion techniques, and purpose-built malware creates a potent threat that can bypass many traditional security controls. As the conflict between Russia and Ukraine continues to play out across both physical and digital domains, we can expect to see further innovations in cyber warfare tactics and techniques.

The discovery of this campaign also highlights the critical importance of threat intelligence sharing and the need for organizations to maintain robust security postures that can detect and respond to advanced persistent threats. In an era where a single phishing email can compromise entire networks, vigilance and preparedness have never been more crucial.

#cybersecurity #APT28 #RussianHacking #UkraineCyberWar #BadPaw #MeowMeow #phishing #malware #state-sponsored #cyberwarfare #digitalespionage #threatintelligence #cyberdefense #hacking #APT #cyberattack #informationwarfare #nationalsecurity #cyberthreats #digitalconflict

“Russian hackers unleash BadPaw and MeowMeow malware on Ukraine”
“APT28 returns with sophisticated new cyber espionage tools”
“Ukrainian entities targeted in advanced Russian phishing campaign”
“BadPaw malware features clever cat-themed decoy interface”
“MeowMeow backdoor gives attackers complete system control”
“Russian state-sponsored group escalates cyber operations against Ukraine”
“Newly discovered malware families demonstrate Russian cyber innovation”
“Phishing campaign uses Ukrainian themes to establish victim trust”
“Advanced sandbox evasion techniques protect Russian cyber operations”
“Ukrainian border crossing theme used as malware lure”
“Russian-speaking threat actors leave development artifacts in code”
“State-sponsored cyber warfare continues to evolve and adapt”
“Organizations warned about sophisticated new attack techniques”
“Digital battlefield expands as physical conflict continues”
“Cyber espionage capabilities reach new levels of sophistication”,