APT28’s “MeowMeow” Campaign Targets Ukraine with BadPaw Loader
- Javier Conejo del Cerro
- hace 1 día
- 4 Min. de lectura
A new cyber-espionage campaign targeting Ukrainian organizations has been uncovered, involving two previously undocumented malware families: BadPaw and MeowMeow. Researchers attribute the operation with moderate confidence to the Russian state-linked group APT28.
The campaign relies on carefully staged phishing, multi-layered loaders, and stealth techniques designed to evade analysis environments. By combining deceptive documents, sandbox checks, hidden payloads inside images, and modular malware delivery, the attackers establish persistent access and remote control over compromised systems.
Phase 1: Phishing & Target Validation
The attack begins with a phishing email sent from ukr[.]net, a legitimate Ukrainian email service used to increase credibility.
Inside the email is a link that appears to lead to a ZIP archive. However, before the victim even downloads anything, the link first loads a very small image acting as a tracking pixel.
This tracking pixel serves a strategic purpose:
It confirms to the attacker that the target clicked the link.
Only after this confirmation does the victim get redirected to a second URL that delivers the malicious archive.
This step allows the operators to verify engagement before deploying the malware, improving operational efficiency and reducing unnecessary exposure.
Phase 2: Decoy Documents & Environment Checks
Once the ZIP archive is downloaded and extracted, the victim launches an HTA (HTML Application) file.
The HTA performs two simultaneous actions:
Displays a decoy document to the victim
Executes malicious activity in the background
The displayed document contains a Ukrainian-language message confirming receipt of a government appeal related to border crossing procedures.
This geopolitical lure is specifically crafted to match the Ukrainian context and maintain the illusion of legitimacy.
At the same time, the malware performs sandbox-evasion checks. It queries the Windows registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
This value reveals when Windows was installed.
If the system appears too new (less than 10 days old), the malware assumes it may be running inside an analysis sandbox and terminates execution.
Phase 3: Payload Extraction & Persistence
If the environment appears legitimate, the attack proceeds.
The HTA locates the downloaded archive and extracts two files:
A VBScript
A PNG image
Both are saved under new names on the victim’s system.
The malware then establishes persistence by creating a scheduled task, ensuring the malicious script runs automatically.
The VBScript’s primary role is to extract hidden malware embedded inside the PNG image.
This technique allows attackers to hide executable code inside what appears to be a harmless image file, bypassing many traditional detection methods.
Phase 4: BadPaw Loader Deployment
The code extracted from the PNG image is an obfuscated .NET loader called BadPaw.
BadPaw acts as a stage-two loader, responsible for:
Contacting a remote command-and-control (C2) server
Downloading additional components
Launching the next stage of the attack
One of the downloaded payloads is a backdoor executable named MeowMeow.
BadPaw also includes deception mechanisms. If executed outside the full infection chain, it runs dummy code displaying a graphical interface with a cat image.
Clicking the “MeowMeow” button simply displays the message:
Meow Meow Meow
This fake interface is designed to mislead analysts during manual investigation.
Phase 5: MeowMeow Backdoor Activation
The final payload, MeowMeow, becomes active only under very specific conditions.
First, it must be launched with a command-line parameter:
-v
This parameter is provided by the earlier stages of the infection chain.
Second, the malware checks for analysis tools, including:
Wireshark
Procmon
Ollydbg
Fiddler
If any of these tools are detected, the malware stops execution.
When the environment appears safe, MeowMeow activates its backdoor functionality.
Capabilities include:
Remote PowerShell command execution
File system operations (read, write, delete)
System interaction via attacker commands
Potential file access and data exfiltration
These capabilities give the operators full remote control over compromised systems.
Attribution to APT28
Researchers attribute the campaign with moderate confidence to the Russian state-linked group APT28.
This assessment is based on:
Targeting patterns focused on Ukrainian organizations
The geopolitical lure themes
Overlaps with previous Russian cyber-espionage tradecraft
Russian-language strings found within the malware source code
The presence of Russian text in the code suggests either:
An operational security mistake by the developers, or
Development artifacts left during malware compilation.
Organizations can reduce exposure to this type of campaign by implementing the following controls:
Block or quarantine ZIP archives delivered via phishing emails
Detect and restrict HTA execution
Monitor for suspicious VBScript activity
Inspect image files for embedded payloads or abnormal behavior
Monitor creation of scheduled tasks linked to unknown scripts
Deploy EDR detection for PowerShell abuse
Detect outbound traffic to suspicious C2 infrastructure
Monitor registry queries related to InstallDate sandbox checks
Detect unusual script activity extracting code from PNG images
The BadPaw–MeowMeow campaign highlights how modern espionage malware increasingly blends social engineering, evasion tactics, and modular loaders.
Rather than relying on single-stage payloads, attackers now build layered infection chains that include tracking pixels, environment checks, decoy documents, hidden payload carriers, and conditional backdoor activation.
The use of images to conceal malware, sandbox-aware logic, and staged loaders demonstrates the sophistication of the operation and its focus on long-term covert access rather than rapid disruption.
For defenders, this campaign reinforces a key lesson: detecting modern threats requires monitoring behavioral patterns across multiple stages, not just identifying malicious files.
The Hacker News
Comentarios