Russian Phishing Campaign Targets Ukraine With BadPaw Loader and MeowMeow Backdoor
A Russia-linked phishing campaign has targeted Ukrainian entities using emails that lure recipients into downloading a ZIP archive, leading to installation of two newly identified malware families: the BadPaw loader and the MeowMeow backdoor. Reporting based on ClearSky’s analysis describes messages sent from addresses hosted on Ukrainian service ukr[.]net, with a redirect to a ZIP containing a Ukraine-themed border checkpoint/permit lure; opening the archive triggers execution that downloads BadPaw, which then establishes C2 and deploys MeowMeow.
The malware chain is designed to complicate analysis and evade detection. ClearSky reported BadPaw as a .NET-based loader and noted use of the .NET Reactor packer/obfuscator, while MeowMeow provides backdoor functionality including file enumeration and data read/write/delete operations. Additional defensive measures include conditional execution (components remaining inert unless launched with specific parameters) and environment checks by MeowMeow to detect sandboxes or analysis tooling (e.g., Wireshark, ProcMon, Fiddler). Based on infrastructure and tradecraft indicators (including ukr[.]net-hosted sender addresses), researchers attributed the activity with low confidence to APT28 (aka Fancy Bear/Forest Blizzard/Blue Delta).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ClearSky attributes Ukraine-targeting campaign to a Russia-linked espionage actor
ClearSky assessed with high confidence that the operation is linked to a Russian cyberespionage group, citing Ukrainian targeting, Russian-language code artifacts, and overlaps with prior Russian tradecraft. The researchers said attribution to APT28 was lower confidence, with one report describing it as low confidence and another as lower to moderate confidence.
Researchers disclose technical details of BadPaw and MeowMeow malware
Analysis revealed that the lure uses a disguised HTA file showing a Ukrainian-language border-crossing decoy while executing malicious stages, including sandbox-evasion checks, scheduled-task persistence, and steganographic extraction of a hidden payload from an image. Researchers said BadPaw acts as a .NET loader that establishes command-and-control and deploys MeowMeow, an advanced backdoor with anti-analysis checks and file access capabilities.
Russian phishing campaign targets Ukrainian organizations with new malware
Researchers reported a phishing campaign targeting Ukrainian entities using emails from ukr.net-hosted addresses and links to a ZIP archive disguised as a Ukrainian border checkpoint permit. The infection chain delivers the newly identified BadPaw loader, which then installs the MeowMeow backdoor.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28-Linked Phishing Campaign Deploys BadPaw Loader and MeowMeow Backdoor Against Ukraine
ClearSky reported a suspected Russian espionage campaign targeting Ukrainian entities using phishing emails that deliver two previously undocumented malware families: the **BadPaw** loader and the **MeowMeow** backdoor. The infection chain begins with a lure email (sent from `ukr[.]net` to appear credible) containing a link that first loads an unusually small image functioning as a tracking pixel to confirm user interaction, then redirects victims to download a ZIP archive. When opened, the archive launches an HTA that displays a Ukrainian-language decoy document about border-crossing appeals while executing background stages that deploy the .NET-based BadPaw loader, which then retrieves and installs the MeowMeow backdoor from a remote server; the HTA also performs sandbox/analysis-evasion checks. The activity was attributed with **moderate confidence** to **APT28** based on targeting, geopolitical lures, and technique overlaps with prior Russian operations. Separate reporting also noted CERT-UA warnings about other phishing-driven malware activity against Ukrainian government institutions (including **SHADOWSNIFF**, **SALATSTEALER**, and a Go backdoor **DEAFTICKK** attributed to **UAC-0252**), but that campaign is distinct from the BadPaw/MeowMeow intrusion chain and should not be conflated with the APT28-linked activity.
Mar 21, 2026
Void Blizzard (Laundry Bear) Charity-Themed Lures Deliver PluggyApe Backdoor to Ukraine’s Defense Forces
Ukraine’s CERT (CERT-UA) reported a cyber-espionage campaign targeting representatives of **Ukraine’s Defense Forces** between October and December 2025, using social-engineering lures themed around charitable foundations. Victims were contacted via **Signal** and **WhatsApp** and directed to charity-impersonation websites or sent password-protected archives that purported to contain documents but instead delivered executable payloads (including `*.docx.pif`), sometimes sent directly through the messaging apps. The activity was attributed with **medium confidence** to the Russia-aligned threat actor **Void Blizzard** (also tracked as **Laundry Bear** and **UAC-0190**). The campaign deployed a previously undocumented backdoor dubbed **PluggyApe**, built as a Python executable packaged with **PyInstaller**, which profiles infected hosts, establishes persistence via **Windows Registry** modification, and enables remote command execution. CERT-UA noted an evolution in late 2025 from earlier loader naming patterns (e.g., `*.pdf.exe`) to **PIF-based delivery** and an updated **PluggyApe v2** featuring stronger obfuscation, **MQTT-based** command-and-control, and additional anti-analysis checks.
Mar 21, 2026
Cloaked Ursa Phishes Diplomats With Repurposed Lures and Cloud-Backed Malware
Unit 42 reported that **Cloaked Ursa**—also tracked as **APT29**, **Midnight Blizzard**, **Nobelium**, and **Cozy Bear**—ran phishing campaigns against diplomatic targets in **Ukraine** and **Turkey**, using lures tied to diplomats’ personal and professional interests. In one operation, the group repurposed a legitimate BMW-for-sale flyer originally sent by a Polish Ministry of Foreign Affairs diplomat and redistributed malicious versions to diplomatic missions in Kyiv, reaching at least **22 foreign missions**. A separate campaign targeted the **Turkish Ministry of Foreign Affairs** with a lure themed around humanitarian assistance guidance following the February 2023 earthquakes. The phishing chain redirected victims through URL shorteners to a compromised website that delivered malware through **HTA**, **ISO**, and **LNK** files disguised as PNG images, followed by **DLL sideloading**. Researchers said the payload used the **Microsoft Graph API** and **Dropbox** for command-and-control and shared code and tradecraft with previously reported Cloaked Ursa tooling, including overlap with **QUARTERRIG**, use of `APPVISVSUBSYSTEMS64.dll`, anti-analysis checks, shellcode injection, and obfuscated final-stage payloads. The activity showed a shift toward broadly appealing but individually relevant lures designed to spread more easily within diplomatic circles and improve espionage success.
May 26, 2026