BadPaw
BadPaw is a .NET Framework 4.6 trojan downloader/loader disguised as a legitimate Windows Forms regex utility named "RegularExpressionExplorer," presenting a functional GUI facade while hiding malicious behavior. Public reporting describes it as a .NET-based loader used in a phishing campaign targeting Ukrainian organizations and entities, in which victims receive emails—reportedly from ukr[.]net-hosted addresses—linking to a ZIP archive. The archive contains a disguised HTA lure related to Ukrainian border-crossing appeals or permits; the HTA performs sandbox-evasion checks, including validating the Windows install date, and can establish persistence via a scheduled task. A VBScript then extracts hidden payload data from a PNG image using steganography, yielding the BadPaw PE loader.
Once executed in the intended chain, BadPaw establishes command-and-control communication and deploys a second-stage backdoor, MeowMeow. Reporting states BadPaw uses a task-based HTTPS C2 design with methods such as GetTaskRequest(), GetUrlRequest(), and SendResultRequest(), authenticates with a token and a victim serial derived from a MurmurHash of hardware identifiers, and uses AES for payload encryption, RSA for key exchange, and MD5 for hashing. It fingerprints victims through multiple WMI queries covering MAC address, disk serial number, motherboard serial, BIOS information, computer system details, OS identity, and process ID. Registry queries related to AMSI, Windows Defender, Defender real-time protection policies, PassiveMode, and SystemSetupInProgress were also observed.
BadPaw includes extensive anti-analysis and evasion features. Reported protections include .NET Reactor obfuscation, SuppressIldasm, anti-debugging via Debugger.IsAttached, possible clrjit.dll/JIT-hook checks, SHA1 and section-level integrity verification, sandbox detection, sleep-timing checks, event-log inspection, uptime analysis, and runtime reconstruction of split Win32 API strings. Analysis also found evidence of a process-injection workflow involving APIs such as FindResourceA, OpenProcess, VirtualAlloc, WriteProcessMemory, and VirtualProtect, with indications that the injected payload is compressed and dynamically generated using DynamicMethod, ILGenerator, and DeflateStream. In some reporting, BadPaw remains dormant or displays benign dummy GUI behavior unless launched with specific parameters.
BadPaw has been linked in public reporting to a Russia-linked campaign against Ukraine and attributed by ClearSky with high confidence to a Russia-linked cyberespionage group and with lower/moderate or low confidence specifically to APT28 (Fancy Bear/Forest Blizzard/Blue Delta), based on Ukrainian targeting, Russian-language code artifacts, and tradecraft overlap. One mention also notes an APT28 ZIP → HTA → VBS → loader chain with BadPaw as a partial or differing execution chain. Known sample metadata in the provided content includes SHA256 6cad470e10c09151b5d337a082a088cfe25d697ef295e02759e1e68e8b3bbbcb and filenames including RegularExpressionExplorer.exe, HelperForLibraries.exe, and 15n21.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT28 ZIP → HTA → VBS → loader (BadPaw) Partial, different execution chain
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
7 techniques
Execution
BadPaw builds a comprehensive victim profile through seven WMI queries via the SOS class
Endpoint : Search for scheduled tasks created by CreateOrUpdateTask()
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
10 techniques
Stealth
Layer 1: .NET Reactor -- Commercial obfuscation mangles all method and field names into GUID-like strings ... A SuppressIldasm attribute blocks the standard .NET disassembler outright.
“A VBS script then retrieves hidden payload data embedded within an image using steganography…”
Layer 5: API String Splitting -- Win32 API names are split across the .NET #US heap ... These are reassembled at runtime via Marshal.GetDelegateForFunctionPointer. Static string scanners see nothing.
Process Injection Chain ... OpenProcess obtains a handle to the target, VirtualAlloc reserves memory, WriteProcessMemory writes the payload, and VirtualProtect flips the page to executable.
The PE compilation timestamp is falsified to 2039, an anti-forensics measure.
Layer 4: Sandbox Detection -- The Sand class implements IsSandBox() for environment fingerprinting, CheckSleep() for timing-based detection ... and a Windows EventLog reader that checks for sandbox-indicator events. System uptime analysis rounds it out -- fresh VMs have short uptimes.
The Sand class implements IsSandBox() for environment fingerprinting ... and a Windows EventLog reader that checks for sandbox-indicator events. System uptime analysis rounds it out -- fresh VMs have short uptimes.
Discovery
6 techniques
Discovery
Defender Reconnaissance Before any malicious activity, BadPaw queries the registry for the state of Windows Defender: HKLM\SOFTWARE\Microsoft\AMSI ... HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PassiveMode ...
Before phoning home, BadPaw builds a comprehensive victim profile through seven WMI queries ... MAC address, Disk serial number, Motherboard serial, BIOS information, Computer system details, OS identity string, Process ID.
Layer 4: Sandbox Detection -- The Sand class implements IsSandBox() for environment fingerprinting, CheckSleep() for timing-based detection ... and a Windows EventLog reader that checks for sandbox-indicator events. System uptime analysis rounds it out -- fresh VMs have short uptimes.
The Sand class implements IsSandBox() for environment fingerprinting ... and a Windows EventLog reader that checks for sandbox-indicator events. System uptime analysis rounds it out -- fresh VMs have short uptimes.
Command and Control
3 techniques
Command and Control
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A .NET Framework 4.6 trojan downloader that masquerades as a legitimate regex testing utility while using layered anti-analysis protections including obfuscation, anti-debugging, anti-tamper checks, sandbox detection, API string splitting, WMI-based host fingerprinting, Defender reconnaissance, structured HTTPS C2 communications, and a process injection chain to deploy an embedded payload.
A newly reported malware family used in a phishing campaign targeting Ukrainian organizations.
One of a newly reported malware pair used in a Russian campaign targeting Ukraine.
Russian APT targets Ukraine with BadPaw and MeowMeow malware
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.