Key Findings:

• A new Russian cyber campaign has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow.

• The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28.

• The attack chain initiates with a phishing email containing a link to a ZIP archive, which leads to the deployment of a .NET-based loader called BadPaw and a sophisticated backdoor called MeowMeow.

Background

The starting point of the attack sequence is a phishing email sent from ukr[.]net, likely in an attempt to establish credibility and secure the trust of targeted victims. Present in the message is a link to a purported ZIP file, causing the user to be redirected to a URL that loads an "exceptionally small image," effectively acting as a tracking pixel to signal the operators that the link was clicked. Once this step is complete, the victim is redirected to a secondary URL from where the archive is downloaded.

The Attack Chain

• The ZIP file includes an HTML Application (HTA) that, once launched, drops a decoy document as a distraction mechanism, while it executes follow-on stages in the background.

• The HTA file also carries out checks to avoid running within sandbox environments by querying the Windows Registry to estimate the "age" of the operating system.

• The VBScript extracted from the ZIP archive is responsible for extracting malicious code embedded within a PNG image, an obfuscated loader referred to as BadPaw.

• BadPaw is capable of contacting a command-and-control (C2) server to download additional components, including an executable named MeowMeow.

• MeowMeow is equipped to remotely execute PowerShell commands on the compromised host and support file system operations, such as the ability to read, write, and delete data.

Attribution and Indicators

• The presence of Russian language strings in the source code suggests the activity is the work of a Russian-speaking threat actor.

• The targeting footprint, the geopolitical nature of the lures used, and overlaps with techniques observed in previous Russian cyber operations point to APT28 as the likely perpetrator.

Sources

• https://thehackernews.com/2026/03/apt28-linked-campaign-deploys-badpaw.html

• https://www.linkedin.com/posts/dlross_apt28-linked-campaign-deploys-badpaw-loader-activity-7435447807739658241-dJRa

• https://x.com/Dinosn/status/2029538747004412173