A newly identified malware campaign leveraging a Ukrainian email service to build credibility has been uncovered, with the operation beginning from an email sent from an address hosted on ukr[.]net. According to ClearSky advisory, the recipient is redirected from a domain that loads a tracking pixel before being sent to a ZIP download, and the archive actually contains an HTA application in disguise.
Once executed, it shows a decoy document about a Ukrainian government border crossing while malicious processes run in the background; the malware checks a Windows Registry key to determine the system’s installation date and halts if the OS is less than ten days old to evade sandboxes. If conditions are met, it searches for the original ZIP and extracts additional components, with persistence via a scheduled task that runs a VBS script using steganography to extract hidden executable code from an image file.
The backdoor, named MeowMeowProgram[.]exe, provides remote shell access and file system control after connecting to a C2 server, with a multi-layered defence including runtime parameter checks and sandbox detection; nine antivirus engines detected the payload at the time of analysis, according to ClearSky.