Security researchers from ClearSky have uncovered a sophisticated Russian cyber campaign targeting Ukrainian organizations using two previously unknown malware strains with distinctly playful names: BadPaw and MeowMeow. Despite their whimsical naming, these tools represent a serious threat designed for stealth, persistence, and evasion.
The Attack Chain: From Phishing to Persistent Backdoor
The campaign begins with a targeted phishing email containing a link to a ZIP archive. The lure document, written in Ukrainian, relates to border crossing appeals—a topic likely to resonate with Ukrainian government and military personnel amid ongoing geopolitical tensions.
Once the victim opens the archive, the attack proceeds through multiple stages:
- BadPaw Loader: A .NET-based loader that establishes communication with command-and-control (C2) servers
- Payload Retrieval: The C2 server responds with encoded data hidden within HTML page markers
- MeowMeow Deployment: A sophisticated backdoor designed for long-term access and remote command execution
Advanced Evasion Techniques
Both malware strains employ multiple layers of defense to avoid detection:
- .NET Reactor Obfuscation: Commercial-grade protection that hinders static analysis and reverse engineering
- Parameter-Based Activation: Malicious code only executes when specific command-line parameters are provided
- Decoy Interfaces: If run without proper parameters, BadPaw displays a functional “Regex Finder” tool, while MeowMeow shows a cat image GUI that simply displays “Meow Meow Meow” when clicked
- Environment Detection: Active checks for sandbox environments, VMs, and forensic tools like Wireshark, Procmon, OllyDbg, and Fiddler
MeowMeow Backdoor Capabilities
Once deployed, the MeowMeow backdoor provides attackers with significant capabilities:
- Remote PowerShell command execution
- File system operations (read, write, delete)
- File existence verification
- Persistent C2 communication
Attribution: Russian State-Aligned Threat Actor
ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor, and with low confidence specifically to APT28 (Fancy Bear). The attribution is based on:
- Target Selection: Focus on Ukrainian entities aligns with Russian strategic objectives
- Language Artifacts: Russian-language strings found within the malware code, including phrases like “Time to reach working/operational condition: (\d+) seconds”
- Tradecraft Consistency: Multi-stage infection chains, .NET-based loaders, and obfuscation techniques consistent with previous Russian cyber operations
The presence of Russian-language strings suggests either an operational security (OPSEC) failure—where developers neglected to localize code for the Ukrainian target—or inadvertent inclusion of development artifacts.
Connection to Recent APT28 Activity
This disclosure comes shortly after Trellix researchers exposed APT28 targeting European military and government bodies, particularly maritime and transport organizations. That campaign weaponized CVE-2026-21509, a Microsoft Office vulnerability, within 24 hours of public disclosure—demonstrating the group’s rapid exploit development capabilities.
Key Takeaways for Defenders
- Monitor for unusual .NET application behavior, particularly those requiring specific runtime parameters
- Watch for C2 communication patterns using HTML page markers as data carriers
- Implement detection for .NET Reactor-packed executables
- Train users to recognize Ukrainian-language phishing lures related to border crossing topics
- Maintain updated threat intelligence on Russian APT tradecraft
This analysis is based on research by ClearSky via Industrial Cyber.
