Researchers from the ClearSky Team uncovered a targeted Russian cyber campaign against Ukraine, leveraging two previously unseen malware strains, BadPaw and MeowMeow. The attack begins with a phishing email linking to a ZIP archive containing a Ukrainian-language lure on border crossing appeals. Once opened, a [dot]NET-based loader, BadPaw, establishes C2 (command and control) channels and deploys MeowMeow, a sophisticated backdoor designed for stealth and persistence. Both strains are heavily obfuscated using [dot]NET Reactor and include advanced defenses, as they remain dormant unless triggered with specific parameters and can detect sandbox or virtual environments, terminating execution to evade analysis.
In its report titled ‘Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow,’ ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor and with low confidence to the specific group APT28 (Fancy Bear). The campaign demonstrates a deliberate, highly targeted approach to maintaining access while avoiding detection in critical Ukrainian networks.
The assessment is based on a three-pronged analysis. The campaign’s focus on Ukrainian entities, combined with the geopolitical nature of the lure, aligns with Russian strategic objectives. The presence of Russian-language strings within the code indicates a development environment native to the region. Additionally, the multi-stage infection chain, use of [dot]NET-based loaders, and specific obfuscation techniques reflect tradecraft consistent with previously observed Russian cyber operations.
At the time of analysis, only nine antivirus engines flagged the file as malicious. Researchers have named the malware BadPaw, a loader designed to establish communication with a C2 server and download additional malicious components.
BadPaw includes multiple evasion and defense mechanisms. If the file is executed outside the intended attack chain, the malware activates a decoy routine instead of its malicious payload. In this scenario, it launches a legitimate-looking graphical interface for a ‘Regex Finder’ tool that allows users to upload files and search for regex patterns. By presenting this functional interface, the malware masks its embedded malicious logic and prevents its primary payload from running, making detection and analysis more difficult.
ClearSky researchers noted that the malicious logic is only activated when the malware is executed using the ‘-renew’ parameter. “An additional layer of defense employed by BadPaw is the use of .NET Reactor, a commercial protection and obfuscation tool for .NET assemblies. This packer obfuscates the underlying code to hinder static analysis and reverse engineering.”
When executed with the required parameter, the malware establishes communication with the C2 server, triggering several key actions. The infected system first sends a request, where the server responds with a simple numeric string, ‘500.’ It then makes contact, which initially returns a landing page labeled ‘Telemetry UP!’ Subsequent requests to the /eventmanager endpoint deliver different data, indicating that the C2l infrastructure uses a staged or state-aware response mechanism to control the next phase of the attack.
In the second stage, the server returns a standard HTML page that contains a block of ASCII (American Standard Code for Information Interchange) encoded data embedded between the markers /ContactFormGroup and ContactFormGroup/. The ASCII block is decoded to reconstruct an additional malware component. After decoding, the malware contacts a URL, where encrypted data is transmitted through the AddCssStyle! parameter. The malware then drops three files onto the compromised system.
The first file stores configuration data received from the server through the /planneractivate endpoint. The second file contains the raw ASCII data originally retrieved from the /eventmanager request. The final component is an executable created after the ASCII payload is converted back into a standard string. This file, named MeowMeowProgram[dot]exe, functions as a persistent backdoor.
Consistent with the BadPaw tradecraft, if this executable is launched outside the intended attack chain, it runs a decoy routine instead of activating its malicious capabilities. In this mode, the program displays a graphical interface featuring a cat image, mirroring the visual theme of the original image file used to deliver the malware.
“When the ‘MeowMeow’ button within the decoy GUI is clicked, the application simply displays a ‘Meow Meow Meow’ message, performing no further malicious actions,” ClearSky said in its report. “This serves as a secondary functional decoy to mislead manual analysis. Conversely, the malicious logic is only activated when the malware is executed with a specific parameter, -v, provided by the initial infection chain.”
The ‘MeowMeow’ backdoor incorporates four distinct layers of protection, mirroring the tradecraft observed in the BadPaw malware. These include the requirement of a unique runtime parameter to trigger malicious code, the use of .NET Reactor to hinder static analysis, checks to ensure the malware is running on a target system rather than a sandbox, and routine monitoring for forensic and monitoring tools running in the background.
The ClearSky post captured after partially removing the .NET Reactor protection layers highlights the process checks the malware uses to identify analysis tools. The code scans for ‘well-known’ forensic and debugging utilities, including Wireshark, Procmon, OllyDbg, and Fiddler, among others. It also checks whether it is running inside a virtualized environment, a common technique used to detect sandbox or research systems.
The malware includes built-in shell functionality that enables the threat actor to remotely execute PowerShell commands on the compromised host. In addition, the backdoor supports a range of file system operations, including verifying whether specific files exist and the ability to delete, write, and read data from local storage.
The researchers identified that these strings are written in Russian rather than Ukrainian, which supports the assessment of a Russian-based threat actor. “When translated, one of the strings reads: Time to reach working/operational condition: (d+) seconds The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security (OPSEC) error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian development artifacts within the code during the malware’s production phase.”
Earlier this month, Trellix researchers exposed a stealthy espionage campaign by Russian state-backed group APT28, also known as Fancy Bear or UAC-0001, targeting European military and government bodies, with a sharp focus on maritime andtransport organizations. The activity spans Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. The attackers moved quickly, weaponizing a newly disclosed Microsoft Office one-day vulnerability, CVE-2026-21509, within 24 hours of its public disclosure. Spear-phishing documents exploiting the flaw were used to compromise Ukrainian government agencies and EU institutions.
