Cybersecurity researchers have identified a new Russian cyber operation targeting Ukrainian organizations using two newly discovered malware strains called BadPaw and MeowMeow. Attributed to the state-sponsored group APT28, the campaign utilizes phishing emails and tracking pixels to deliver sophisticated backdoors through deceptive government-themed documents.
The attack begins with a phishing email sent from a compromised or spoofed ukr.net address to gain the recipient's trust. This email contains a link to a ZIP archive, but clicking it first triggers a tracking pixel. This tiny, invisible image notifies the attackers that the victim has interacted with the link before redirecting them to the actual download site. By monitoring these clicks, the threat actors can verify which targets are active and susceptible to the lure.
Once the victim downloads and opens the ZIP archive, they find an HTML Application file. Launching this file initiates two simultaneous actions: it displays a decoy document to the user while silently infecting the system in the background. The decoy is a carefully crafted document written in Ukrainian that discusses official appeals regarding border crossings, a topic designed to appear legitimate and urgent to the targeted individuals.
While the victim is distracted by the border crossing document, the infection enters its next stage by executing a .NET-based loader known as BadPaw. This loader acts as an initial foothold on the system, gathering basic information and establishing a secure line of communication with a command-and-control server. Its primary purpose is to prepare the environment for the final, more dangerous payload.
The final stage of the sequence involves the deployment of MeowMeow, a sophisticated backdoor malware. MeowMeow provides the attackers with extensive control over the compromised computer, allowing them to steal sensitive files, monitor user activity, and maintain long-term access to the network. The complexity of this backdoor suggests it was designed for high-level espionage and data exfiltration.
Analysis of the campaign by researchers at ClearSky points toward APT28, a well-known Russian intelligence group, with moderate confidence. This attribution is based on the specific focus on Ukrainian government interests, the geopolitical nature of the lures, and technical similarities to previous Russian cyber maneuvers. This operation highlights the ongoing use of social engineering and multi-stage malware delivery in modern state-sponsored conflicts.
Source: APT28-Linked Campaign Deploys BadPaw Loader And MeowMeow Backdoor In Ukraine