Russian Cyber Campaign Targets Ukraine With New Malware “BadPaw” and “MeowMeow”



Cybersecurity researchers have uncovered a new cyber-espionage campaign believed to be linked to Russia that targets Ukrainian organizations using two previously unknown malware families called BadPaw and MeowMeow.

According to a report published by the cybersecurity firm ClearSky Cyber Security, the attack relies heavily on phishing emails and social engineering tactics to trick victims into executing malicious files.

Security experts say the operation appears to be connected to the Russian state-backed hacking group APT28, also widely known as Fancy Bear.

How the Attack Begins

The attack chain starts with a phishing email sent to potential victims. The email contains a link claiming to download a ZIP archive.

Key steps of the initial attack stage:

  • The phishing message is sent from ukr[.]net, likely to appear legitimate to Ukrainian targets.
  • When the victim clicks the link, they are first redirected to a page containing a very small image acting as a tracking pixel.
  • This allows the attackers to confirm that the link was clicked.
  • The user is then redirected to another URL where the malicious ZIP file is downloaded.

Malicious Files Inside the ZIP Archive

Once the archive is downloaded and extracted, the victim finds an HTA (HTML Application) file.

When executed, the HTA file performs two actions:

  1. Displays a decoy document written in Ukrainian related to border crossing appeals, making the attack look legitimate.
  2. Silently launches additional malware components in the background.

This decoy document is designed purely for social engineering, distracting the victim while the malware continues its execution.

Anti-Analysis and Sandbox Detection

The malware also includes checks to prevent execution in security research environments.

For example, it checks the Windows registry key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

This helps determine the age of the operating system. If the system was installed less than 10 days earlier, the malware assumes it may be a sandbox environment and stops execution.

Deployment of the BadPaw Loader

If the system passes the security checks, the malware extracts two files from the archive:

  • A VBScript file
  • A PNG image

These files are saved to disk with different names. A scheduled task is also created to run the VBScript automatically, ensuring persistence on the infected system.

The VBScript then extracts hidden malicious code embedded inside the PNG image. This code acts as a .NET-based loader called BadPaw.

BadPaw communicates with a command-and-control (C2) server to download additional malicious components.

MeowMeow Backdoor Capabilities

One of the payloads delivered by BadPaw is an executable known as MeowMeow, which functions as a sophisticated backdoor.

Interestingly, the malware includes a decoy feature to confuse analysts. If the executable runs outside the full attack chain, it simply displays a cat-themed graphical interface.

Clicking the “MeowMeow” button only shows the message:

“Meow Meow Meow”

This behavior acts as a fake interface designed to mislead researchers during manual analysis.

Real Malicious Functionality

The real malicious code activates only when the program is launched with a special command-line parameter:

-v

Once activated, the MeowMeow backdoor can:

  • Execute remote PowerShell commands
  • Read, write, or delete files on the system
  • Communicate with remote command servers
  • Maintain persistent access to the compromised machine

Before executing these actions, the malware also checks whether security tools such as:

  • Wireshark
  • Procmon
  • OllyDbg
  • Fiddler

are running. If detected, the malware may terminate execution.

Evidence Suggesting Russian Involvement

Researchers also discovered Russian-language strings embedded in the malware source code.

According to ClearSky Cyber Security, this indicates two possible scenarios:

  1. The attackers accidentally left Russian development artifacts in the code.
  2. The malware authors made an operational security mistake by failing to localize the code for Ukrainian targets.

Combined with the attack methods and geopolitical context, researchers attribute the campaign with moderate confidence to the Russian threat group APT28.

Conclusion

This campaign demonstrates how modern cyber operations combine phishing, social engineering, stealth techniques, and multi-stage malware to infiltrate targeted organizations. The discovery of BadPaw and MeowMeow highlights the evolving tactics used in cyber warfare, especially in conflicts involving state-sponsored threat actors.

Organizations are advised to:

  • Monitor suspicious email activity
  • Block unknown file downloads
  • Keep security systems updated
  • Train employees to recognize phishing attacks