APT28-Linked Phishing Campaign Deploys BadPaw Loader and MeowMeow Backdoor Against Ukraine
ClearSky reported a suspected Russian espionage campaign targeting Ukrainian entities using phishing emails that deliver two previously undocumented malware families: the BadPaw loader and the MeowMeow backdoor. The infection chain begins with a lure email (sent from ukr[.]net to appear credible) containing a link that first loads an unusually small image functioning as a tracking pixel to confirm user interaction, then redirects victims to download a ZIP archive. When opened, the archive launches an HTA that displays a Ukrainian-language decoy document about border-crossing appeals while executing background stages that deploy the .NET-based BadPaw loader, which then retrieves and installs the MeowMeow backdoor from a remote server; the HTA also performs sandbox/analysis-evasion checks.
The activity was attributed with moderate confidence to APT28 based on targeting, geopolitical lures, and technique overlaps with prior Russian operations. Separate reporting also noted CERT-UA warnings about other phishing-driven malware activity against Ukrainian government institutions (including SHADOWSNIFF, SALATSTEALER, and a Go backdoor DEAFTICKK attributed to UAC-0252), but that campaign is distinct from the BadPaw/MeowMeow intrusion chain and should not be conflated with the APT28-linked activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Campaign linked with moderate confidence to APT28
Based on the campaign’s targeting, geopolitical lures, overlaps with prior Russian tradecraft, and Russian-language code strings, ClearSky assessed with moderate confidence that the activity is connected to the Russian state-sponsored group APT28. The report also described MeowMeow’s capabilities, including sandbox evasion, remote PowerShell execution, and file operations.
ClearSky identifies BadPaw and MeowMeow campaign targeting Ukraine
ClearSky reported a Russian-linked cyber campaign targeting Ukrainian entities with a phishing chain that deploys two previously undocumented malware families, the BadPaw loader and MeowMeow backdoor. The intrusion uses a border-crossing themed Ukrainian-language lure and a tiny tracking-image style mechanism to confirm victim clicks before delivering the archive.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian Phishing Campaign Targets Ukraine With BadPaw Loader and MeowMeow Backdoor
A **Russia-linked phishing campaign** has targeted Ukrainian entities using emails that lure recipients into downloading a ZIP archive, leading to installation of two newly identified malware families: the **BadPaw** loader and the **MeowMeow** backdoor. Reporting based on ClearSky’s analysis describes messages sent from addresses hosted on Ukrainian service **ukr[.]net**, with a redirect to a ZIP containing a Ukraine-themed border checkpoint/permit lure; opening the archive triggers execution that downloads **BadPaw**, which then establishes C2 and deploys **MeowMeow**. The malware chain is designed to complicate analysis and evade detection. ClearSky reported **BadPaw** as a **.NET-based loader** and noted use of the **.NET Reactor** packer/obfuscator, while **MeowMeow** provides backdoor functionality including file enumeration and data read/write/delete operations. Additional defensive measures include conditional execution (components remaining inert unless launched with specific parameters) and environment checks by MeowMeow to detect sandboxes or analysis tooling (e.g., *Wireshark*, *ProcMon*, *Fiddler*). Based on infrastructure and tradecraft indicators (including ukr[.]net-hosted sender addresses), researchers attributed the activity with **low confidence** to **APT28** (aka **Fancy Bear/Forest Blizzard/Blue Delta**).
Mar 21, 2026
Cloaked Ursa Phishes Diplomats With Repurposed Lures and Cloud-Backed Malware
Unit 42 reported that **Cloaked Ursa**—also tracked as **APT29**, **Midnight Blizzard**, **Nobelium**, and **Cozy Bear**—ran phishing campaigns against diplomatic targets in **Ukraine** and **Turkey**, using lures tied to diplomats’ personal and professional interests. In one operation, the group repurposed a legitimate BMW-for-sale flyer originally sent by a Polish Ministry of Foreign Affairs diplomat and redistributed malicious versions to diplomatic missions in Kyiv, reaching at least **22 foreign missions**. A separate campaign targeted the **Turkish Ministry of Foreign Affairs** with a lure themed around humanitarian assistance guidance following the February 2023 earthquakes. The phishing chain redirected victims through URL shorteners to a compromised website that delivered malware through **HTA**, **ISO**, and **LNK** files disguised as PNG images, followed by **DLL sideloading**. Researchers said the payload used the **Microsoft Graph API** and **Dropbox** for command-and-control and shared code and tradecraft with previously reported Cloaked Ursa tooling, including overlap with **QUARTERRIG**, use of `APPVISVSUBSYSTEMS64.dll`, anti-analysis checks, shellcode injection, and obfuscated final-stage payloads. The activity showed a shift toward broadly appealing but individually relevant lures designed to spread more easily within diplomatic circles and improve espionage success.
May 26, 2026
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
Apr 29, 2026