RESEARCHERS have uncovered a Russian cyber campaign targeting Ukrainian entities using two new malware families named BadPaw and MeowMeow, delivered through phishing emails. The attack starts with a phishing email containing a link to a ZIP archive. Upon extraction, an HTA file displays a lure document in Ukrainian about border crossing appeals while activating the malware. BadPaw, a .NET-based loader, establishes command-and-control (C2) communication to deploy MeowMeow, a sophisticated backdoor.
Both malware types use the .NET Reactor packer for obfuscation, complicating analysis. Environmental checks in MeowMeow stop execution if the malware detects virtual machines or analysis tools, indicating evasion tactics. The campaign is attributed to a Russia-linked cyberespionage group with moderate confidence towards APT28, based on the nature of the attack and the use of Russian-language code artifacts.