Researchers disclosed a Russian-linked campaign targeting Ukrainian entities that uses phishing emails and HTA lures to deploy two previously undocumented malware families, BadPaw and MeowMeow. The infection chain features sandbox evasion, a .NET loader that contacts a C2 to fetch a MeowMeow backdoor, and has been attributed with moderate confidence to APT28. #BadPaw #MeowMeow
Keypoints
- Phishing emails sent from ukr[.]net direct victims to a ZIP archive containing an HTA lure in Ukrainian.
- The HTA drops a decoy document and performs InstallDate checks to evade sandbox and young systems.
- The HTA extracts a VBScript and PNG, creates a scheduled task for persistence, and hides follow-on stages.
- BadPaw acts as a .NET loader that contacts a C2 to download and deploy the MeowMeow backdoor supporting PowerShell and file operations.
- ClearSky attributes the campaign with moderate confidence to APT28 based on targeting, lures, and technique overlaps.
Read More: https://thehackernews.com/2026/03/apt28-linked-campaign-deploys-badpaw.html