ACCORDING to ClearSky, cybersecurity researchers disclosed a new Russian campaign targeting Ukrainian entities that uses two previously undocumented malware families, BadPaw and MeowMeow. The attack chain starts with a phishing email linking to a ZIP archive; when opened, an HTA file shows a Ukrainian border-crossing lure, while a .NET-based loader named BadPaw contacts a remote server to fetch a backdoor called MeowMeow.
The HTA file checks are designed to avoid sandbox environments, and if the environment is suitable it extracts a VBScript and a PNG, saves them under different names, and creates a scheduled task to run the VBScript, which then loads the BadPaw loader embedded in the PNG to reach the C2 server for additional components.
The MeowMeow backdoor can execute PowerShell commands and perform file-system operations, including reading, writing and deleting data, and Russian-language strings in the code reinforce the assessment of Russian-speaking authorship. The campaign has been attributed with moderate confidence to APT28, the Russian state-sponsored threat actor, based on targeting, lures, and overlaps with techniques seen in prior operations.