ClearSky Team uncovered a targeted Russian state-aligned campaign against Ukraine that uses border-crossing appeals to deliver two novel malware strains, BadPaw and MeowMeow. The multi-stage attack uses ukr.net phishing, an HTA/VBScript loader that extracts payloads via steganography, a .NET Reactor-protected BadPaw loader with a β-renewβ parameter check, and a MeowMeow backdoor that provides remote shell, file-system access, and anti-analysis checks; code artifacts in Russian support attribution and a possible link to APT28. #BadPaw #MeowMeow #ClearSky #APT28 #ukrnet
Keypoints
- ClearSky attributed a targeted campaign against Ukraine to a Russian state-aligned actor, with a low-confidence link to APT28.
- Phishing emails from spoofed or compromised ukr.net addresses deliver a ZIP containing an HTA decoy about border appeals.
- A VBScript uses steganography on CAT.png to reconstruct and launch the BadPaw .NET loader.
- BadPaw is obfuscated with .NET Reactor and uses a β-renewβ parameter to show a decoy GUI unless properly activated.
- BadPaw downloads MeowMeow from virtualdailyplanner.pro; MeowMeow provides shell access, file operations, environmental checks, and a cat-image decoy.