Key Findings

• Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails.

• The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.

• The malware uses the .NET Reactor packer to make analysis and reverse engineering harder, showing the attackers' intent to evade detection and maintain long-term persistence.

• The malware includes multiple defense mechanisms, such as staying inactive unless launched with specific parameters and scanning for virtual machines and analysis tools to avoid detection.

• The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28.

Background

The attack chain initiates with a phishing email sent from the Ukrainian provider ukr[.]net, a service previously abused in Russian campaigns. The email contains a link that first loads a tracking pixel to notify the attackers when a victim clicks, then redirects to a shortened URL that downloads a ZIP archive. Inside the archive is a disguised HTA file posing as an HTML document.

Infection Chain

When executed, the HTA file opens a decoy document about a Ukrainian border-crossing appeal while silently launching the malicious routine. The HTA performs anti-analysis checks by verifying the system's installation date and aborting execution on recently installed systems, a common sandbox-evasion tactic.

If conditions are met, the HTA searches for the original archive, extracts additional components, and establishes persistence through a scheduled task. A VBS script then retrieves hidden payload data embedded within an image using steganography, extracting a PE file that researchers identified as the BadPaw loader, which ultimately deploys the MeowMeow backdoor and establishes command-and-control communication.

Malware Analysis

Both BadPaw and MeowMeow use the .NET Reactor packer to obfuscate the underlying code and hinder static analysis and reverse engineering. The MeowMeow backdoor also includes environmental checks, scanning systems for virtual machines and analysis tools, and stops execution if it detects a sandbox or research environment.

Threat Actor Attribution

Researchers at ClearSky attribute the campaign with moderate confidence to the Russian state-sponsored threat actor known as APT28, based on the targeting of Ukrainian entities, Russian-language artifacts in the code, and tactics consistent with previous Russian cyber operations, including multi-stage infection chains and .NET-based loaders.

Sources

• https://securityaffairs.com/188974/apt/russian-apt-targets-ukraine-with-badpaw-and-meowmeow-malware.html

• https://thehackernews.com/2026/03/apt28-linked-campaign-deploys-badpaw.html