APT28-Linked Phishing Campaign Deploys BadPaw Loader and MeowMeow Backdoor Against Ukraine
ClearSky reported a suspected Russian espionage campaign targeting Ukrainian entities using phishing emails that deliver two previously undocumented malware families: the BadPaw loader and the MeowMeow backdoor. The infection chain begins with a lure email (sent from ukr[.]net to appear credible) containing a link that first loads an unusually small image functioning as a tracking pixel to confirm user interaction, then redirects victims to download a ZIP archive. When opened, the archive launches an HTA that displays a Ukrainian-language decoy document about border-crossing appeals while executing background stages that deploy the .NET-based BadPaw loader, which then retrieves and installs the MeowMeow backdoor from a remote server; the HTA also performs sandbox/analysis-evasion checks.
The activity was attributed with moderate confidence to APT28 based on targeting, geopolitical lures, and technique overlaps with prior Russian operations. Separate reporting also noted CERT-UA warnings about other phishing-driven malware activity against Ukrainian government institutions (including SHADOWSNIFF, SALATSTEALER, and a Go backdoor DEAFTICKK attributed to UAC-0252), but that campaign is distinct from the BadPaw/MeowMeow intrusion chain and should not be conflated with the APT28-linked activity.
Timeline
Mar 5, 2026
Campaign linked with moderate confidence to APT28
Based on the campaign’s targeting, geopolitical lures, overlaps with prior Russian tradecraft, and Russian-language code strings, ClearSky assessed with moderate confidence that the activity is connected to the Russian state-sponsored group APT28. The report also described MeowMeow’s capabilities, including sandbox evasion, remote PowerShell execution, and file operations.
Mar 5, 2026
ClearSky identifies BadPaw and MeowMeow campaign targeting Ukraine
ClearSky reported a Russian-linked cyber campaign targeting Ukrainian entities with a phishing chain that deploys two previously undocumented malware families, the BadPaw loader and MeowMeow backdoor. The intrusion uses a border-crossing themed Ukrainian-language lure and a tiny tracking-image style mechanism to confirm victim clicks before delivering the archive.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Russian Phishing Campaign Targets Ukraine With BadPaw Loader and MeowMeow Backdoor
A **Russia-linked phishing campaign** has targeted Ukrainian entities using emails that lure recipients into downloading a ZIP archive, leading to installation of two newly identified malware families: the **BadPaw** loader and the **MeowMeow** backdoor. Reporting based on ClearSky’s analysis describes messages sent from addresses hosted on Ukrainian service **ukr[.]net**, with a redirect to a ZIP containing a Ukraine-themed border checkpoint/permit lure; opening the archive triggers execution that downloads **BadPaw**, which then establishes C2 and deploys **MeowMeow**. The malware chain is designed to complicate analysis and evade detection. ClearSky reported **BadPaw** as a **.NET-based loader** and noted use of the **.NET Reactor** packer/obfuscator, while **MeowMeow** provides backdoor functionality including file enumeration and data read/write/delete operations. Additional defensive measures include conditional execution (components remaining inert unless launched with specific parameters) and environment checks by MeowMeow to detect sandboxes or analysis tooling (e.g., *Wireshark*, *ProcMon*, *Fiddler*). Based on infrastructure and tradecraft indicators (including ukr[.]net-hosted sender addresses), researchers attributed the activity with **low confidence** to **APT28** (aka **Fancy Bear/Forest Blizzard/Blue Delta**).
1 months ago
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
3 days ago
APT28 Reuses Old Access and Roundcube Exploits Against Ukrainian Institutions
Ukrainian officials warned that Russia-linked hackers are revisiting earlier compromises to regain access to government and defense networks, testing whether old footholds, unpatched vulnerabilities, and previously stolen credentials still work. CERT-UA said the activity reflects a broader shift from smash-and-grab credential theft toward persistent access, with initial intrusion methods also evolving beyond phishing to more tailored social engineering, including phone calls and video chats in fluent Ukrainian before malicious files are delivered through messaging apps. Agencies tied the activity to groups including **APT28** and **Void Blizzard**, with the security and defense sector remaining the top target because disruptions there could affect the war effort. Ukraine also confirmed a long-running cyber-espionage campaign, tracked since 2023 and attributed by Western researchers to **APT28** (`Fancy Bear`, `BlueDelta`, `Forest Blizzard`), that targeted prosecutors, anti-corruption bodies, and other local government entities through **Roundcube** webmail vulnerabilities enabling code execution when a victim opened an email. Reuters reported that more than 170 email accounts belonging to prosecutors and investigators were compromised in recent months, and CERT-UA identified three waves of related attacks. Officials said some allegedly stolen material was later published online, though reviews indicated the leaks likely did not include confidential data, and warned the operation could still be used to fuel disinformation aimed at eroding trust in Ukrainian institutions.
1 weeks ago