Cybersecurity researchers have revealed a new Russian cyber campaign targeting Ukrainian organizations using two previously unknown malware families, BadPaw and MeowMeow.
According to a report by ClearSky, the attack begins with a phishing email containing a link to a ZIP archive. Once extracted, an HTA file opens a decoy document in Ukrainian concerning border crossing appeals, designed to trick recipients into trusting the message.
The campaign also deploys a .NET-based loader called BadPaw, which communicates with a remote server to download and install the MeowMeow backdoor. Analysts have moderately attributed the operation to the Russian state-sponsored threat actor APT28, based on targeting patterns, geopolitical context, and similarities to previous Russian cyberattacks.
The phishing email originates from ukr[.]net, likely to increase credibility. It contains a link to a ZIP file, which first redirects the user to a very small image acting as a tracking pixel to notify operators of the click. The user is then redirected to a secondary URL to download the archive. The ZIP file contains an HTA file that launches a decoy document while executing malicious actions in the background.
The decoy document simulates a confirmation for a government appeal regarding Ukrainian border crossings, enhancing the message’s legitimacy.
The HTA file includes checks to avoid sandbox environments by querying the Windows Registry key KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate. If the system is newer than ten days, the malware aborts. Otherwise, it extracts a VBScript and a PNG image from the ZIP, saves them under different names, and schedules the VBScript to run automatically for persistence.
The VBScript extracts malicious code from the PNG image to execute the BadPaw loader, which connects to a command-and-control server to retrieve additional components, including MeowMeow. If BadPaw runs independently, it triggers a decoy sequence showing a cat-themed GUI. Clicking the “MeowMeow” button displays a simple “Meow Meow Meow” message with no malicious effect, misleading analysts.
MeowMeow becomes fully active only when executed with a specific parameter (-v) by the original attack chain. It also checks that no sandbox or monitoring tools such as Wireshark, Procmon, OllyDbg, or Fiddler are running. Once active, MeowMeow allows remote PowerShell execution and file system operations, including reading, writing, and deleting files.
ClearSky noted Russian-language strings within the malware, suggesting that the developers either failed to localize the code for the Ukrainian environment or unintentionally left Russian development traces.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
