Researchers at ClearSky uncovered a campaign that leverages ukr.net email addresses to deliver a ZIP that contains an HTA disguised as an HTML file. The operation, named BadPaw, uses tracking redirects, Windows install-age sandbox checks, steganography-backed persistence, and staged C2 downloads that deploy the MeowMeowProgram backdoor. #BadPaw #MeowMeowProgram
Keypoints
- The campaign uses ukr.net email addresses to build credibility, a provider previously abused by APT28.
- Recipients are redirected through a tracking pixel before being served a ZIP that contains an HTA disguised as an HTML file.
- The HTA shows a decoy about a Ukrainian border crossing while executing hidden malicious processes in the background.
- BadPaw evades analysis by checking Windows installation age and achieves persistence via a scheduled task running a VBS script that extracts code via steganography.
- A staged C2 process delivers an ASCII-encoded payload that deploys the MeowMeowProgram backdoor, which uses obfuscation, runtime checks, and forensic-tool detection.
Read More: https://www.infosecurity-magazine.com/news/badpaw-malware-targets-ukraine/