BadPaw and MeowMeow: Russian Cyber Offensive Targets Ukraine with Novel Malware Duo

Cybersecurity investigators at ClearSky Team have uncovered a targeted Russian cyber campaign against Ukraine utilizing two novel malware strains, BadPaw and MeowMeow. This sophisticated operation leverages geopolitical tensions, using Ukrainian border crossing appeals as bait to infect victims with a powerful multi-stage toolkit.

ClearSky attributes this campaign with “high confidence” to a Russian state-aligned threat actor, with a “low confidence” link to the notorious APT28 (Fancy Bear).

The attack begins with a phishing email from a spoofed or compromised address on ukr.net, a popular Ukrainian provider often exploited by APT28 for its perceived legitimacy.

Victims are directed to a ZIP archive containing what appears to be an HTML file. In reality, the file is an HTA (HTML Application). Upon execution, it displays a decoy document regarding border appeals to “distract the user and reduce suspicion”. Behind the scenes, a VBScript script uses steganography to extract hidden data from an accompanying image of a cat (CAT.png). It parses the image for a <STEGO_START> marker to reassemble the primary malware payload: BadPaw.

BadPaw is a .NET-based loader protected by .NET Reactor, a commercial obfuscation tool designed to “hinder static analysis and reverse engineering”.

One of its most clever defenses is Parameter Validation. If the malware is executed outside of the intended attack chain without a specific -renew parameter, it launches a “dummy” GUI for a fake “Regex Finder” tool. This functional decoy allows the malware to “conceal its embedded malicious logic” from researchers.

When properly activated, BadPaw contacts its C2 server (virtualdailyplanner[.]pro) to download the final stage: MeowMeow.

The MeowMeow backdoor is a full-featured espionage tool. Like its loader counterpart, it features a functional decoy—a picture of a yawning cat that merely displays a “Meow Meow Meow” message when clicked.

However, the malicious logic—triggered only with the -v parameter—grants attackers extensive control over the compromised host:

• Shell Capabilities: Allows the remote execution of PowerShell commands.
• File System Access: Enables the actor to read, write, and delete data from local storage.
• Environmental Awareness: The malware “actively scans for virtual machines and common analysis tools” like Wireshark, ProcMon, and Fiddler, terminating immediately if a researcher’s environment is detected

A critical discovery in the code supports the Russian attribution. Researchers found regex strings written in Russian rather than Ukrainian, such as a match for “работоспособного состояния” (working/operational condition).

ClearSky concludes that these artifacts suggest either an “operational security (OPSEC) error by failing to localize the code” or development leftovers that were inadvertently left in the final production phase.

For organizations in the region, the campaign is a reminder of the evolving sophistication of state-aligned threats that blend high-end obfuscation with simple, psychological lures.