A newly identified malware campaign leveraging a Ukrainian email service to build credibility has been uncovered by cybersecurity researchers.
The operation begins with an email sent from an address hosted on ukr[.]net, a popular Ukrainian provider previously abused by the Russian-linked threat actor APT28 in past campaigns.
According to an advisory by researchers at ClearSky, who have named the malware “BadPaw,” the attack is triggered when a recipient clicks a link claiming to host a ZIP archive. Instead of initiating a direct download, the victim is redirected to a domain that loads a tracking pixel, allowing the attacker to confirm engagement. A second redirect then delivers the ZIP file.
Although the archive appears to contain a standard HTML file, ClearSky researchers found it is actually an HTA application in disguise. Once executed, the file displays a decoy document referencing a Ukrainian government border crossing appeal, while malicious processes run in the background.
Read more on malware evasion techniques: “Digital Parasite” Warning as Attackers Favor Stealth for Extortion
Before proceeding, the malware checks a Windows Registry key to determine the system’s installation date. If the operating system is less than ten days old, execution stops, a tactic designed to avoid sandbox environments used by security analysts.
If conditions are met, the malware searches for the original ZIP file and extracts additional components. Persistence is achieved through a scheduled task that runs a VBS script, which uses steganography to extract hidden executable code from an image file.
Only nine antivirus engines detected the payload at the time of analysis.
Multi-Layered Backdoor and Attribution
Once activated with a specific parameter, BadPaw connects to a command-and-control (C2) server. The staged communication process includes:
-
Retrieving a numeric response from the /getcalendar endpoint
-
Accessing a landing page titled “Telemetry UP!” via /eventmanager
-
Downloading ASCII-encoded payload data embedded within HTML
The decoded data ultimately deploys a backdoor named “MeowMeowProgram[.]exe,” which provides remote shell access and file system control.
The MeowMeow backdoor incorporates four defensive layers, including runtime parameter requirements, .NET Reactor obfuscation, sandbox detection and monitoring for forensic tools such as Wireshark, Procmon, Ollydbg and Fiddler.
If executed incorrectly, it displays a benign graphical interface featuring a cat image. Clicking the “MeowMeow” button simply generates a harmless message.
ClearSky also identified Russian-language strings embedded in the code. One translated line reads: “Time to reach working/operational condition: (d+) seconds.”
According to ClearSky, these artifacts may indicate a Russian-speaking developer or an operational oversight in failing to localize the malware for Ukrainian targets.
