Cybersecurity researchers at ClearSky have uncovered a targeted Russian campaign against Ukrainian entities leveraging two previously undocumented malware strains, dubbed ‘BadPaw’ and ‘MeowMeow.’
According to the report, the attack begins with a phishing email containing a link to a ZIP archive. The email abuses the widely used Ukrainian email provider ukr[.]net to make it more believable. Similar infrastructure has been linked in past operations to the Russian state-aligned threat group APT28, also known as Fancy Bear.
When victims click the embedded link, a chain of redirects leads to the download of a ZIP archive. Although the archive appears to contain a standard HTML file, technical analysis reveals it is actually an HTA (HTML Application) file masquerading with an .html extension. Once executed, the HTA displays a Ukrainian-language lure document related to border crossing appeals while silently initiating the infection process.
The HTA file conducts environmental checks to detect sandbox or analysis environments before proceeding. At the time of discovery, only nine antivirus engines identified the file as malicious.
If execution conditions are met, the HTA downloads BadPaw, a .NET-based loader obfuscated using the .NET Reactor packer to hinder reverse engineering. BadPaw’s main function is to establish communication with a command-and-control (C&C) server and retrieve additional payloads.
Upon successful C&C communication, BadPaw deploys the second-stage malware called ‘MeowMeow,’ which is a persistent backdoor delivered as MeowMeowProgram[.]exe. Notably, if not launched with specific predefined parameters, they execute only benign “dummy” code accompanied be a harmless graphical user interface.
“When the “MeowMeow” button within the decoy GUI is clicked, the application simply displays a “Meow Meow Meow” message, performing no further malicious actions. This serves as a secondary functional decoy to mislead manual analysis,” the report says.
MeowMeow comes with anti-analysis capabilities. It actively scans for virtual machines and commonly used forensic and debugging tools such as Wireshark, ProcMon, and Fiddler. If such tools are detected, the malware immediately terminates execution to evade further analysis.
The malware features remote shell access, allowing attackers to execute PowerShell commands and perform file system operations, including reading, writing, verifying, and deleting files on compromised systems.
The researchers observed presence of Russian language in the malware’s code.
“The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security (OPSEC) error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian development artifacts within the code during the malware’s production phase,” the report noted.