{"id":4752,"date":"2026-03-07T18:36:54","date_gmt":"2026-03-07T18:36:54","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/03\/07\/multi-stage-badpaw-malware-campaign-targets-ukraine\/"},"modified":"2026-03-07T18:36:54","modified_gmt":"2026-03-07T18:36:54","slug":"multi-stage-badpaw-malware-campaign-targets-ukraine","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/03\/07\/multi-stage-badpaw-malware-campaign-targets-ukraine\/","title":{"rendered":"Multi-Stage &#8220;BadPaw&#8221; Malware Campaign Targets Ukraine"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A newly identified malware campaign leveraging a Ukrainian email service to build credibility has been uncovered by cybersecurity researchers.<\/p>\n<p>The operation begins with an email sent from an address hosted on ukr[.]net, a popular Ukrainian provider previously abused by the Russian-linked threat actor APT28 in past campaigns.<\/p>\n<p>According to an\u00a0advisory by researchers at ClearSky,\u00a0\u00a0who have\u00a0named the malware &#8220;BadPaw,&#8221;\u00a0the attack is triggered when a recipient clicks a link claiming to host a ZIP archive. Instead of initiating a direct download, the victim is\u00a0redirected to a domain that loads a tracking pixel, allowing the attacker to confirm engagement. A second redirect then delivers the ZIP file.<\/p>\n<p>Although the archive appears to contain a standard HTML file, ClearSky\u00a0researchers found it is actually an HTA application in disguise. Once executed, the file displays a decoy document referencing a Ukrainian government border crossing appeal, while malicious processes run in the background.<\/p>\n<p><em>Read more on malware evasion techniques: &#8220;Digital Parasite&#8221; Warning as Attackers Favor Stealth for Extortion<\/em><\/p>\n<p>Before proceeding, the malware checks a Windows Registry key to determine the system&#8217;s installation date. If the operating system is less than ten days old, execution stops, a tactic designed to avoid sandbox environments used by security analysts.<\/p>\n<p>If conditions are met, the malware searches for the original ZIP file and extracts additional components. Persistence is achieved through a scheduled task that runs a VBS script, which uses steganography to extract hidden executable code from an image file.<\/p>\n<p>Only nine antivirus engines detected the payload at the time of analysis.<\/p>\n<h3><strong>Multi-Layered Backdoor and Attribution<\/strong><\/h3>\n<p>Once activated with a specific parameter, BadPaw connects to a command-and-control (C2) server. The staged communication process includes:<\/p>\n<ul>\n<li>\n<p>Retrieving a numeric response from the \/getcalendar endpoint<\/p>\n<\/li>\n<li>\n<p>Accessing a landing page titled &#8220;Telemetry UP!&#8221; via \/eventmanager<\/p>\n<\/li>\n<li>\n<p>Downloading ASCII-encoded payload data embedded within HTML<\/p>\n<\/li>\n<\/ul>\n<p>The decoded data ultimately deploys a backdoor named &#8220;MeowMeowProgram[.]exe,&#8221; which provides remote shell access and file system control.<\/p>\n<p>The MeowMeow backdoor incorporates four defensive layers, including runtime parameter requirements, .NET Reactor obfuscation, sandbox detection and monitoring for forensic tools such as Wireshark, Procmon, Ollydbg and Fiddler.<\/p>\n<p>If executed incorrectly, it displays a benign graphical interface featuring a cat image. Clicking the &#8220;MeowMeow&#8221; button simply generates a harmless message.<\/p>\n<p>ClearSky also identified Russian-language strings embedded in the code. One translated line reads: &#8220;Time to reach working\/operational condition: (d+) seconds.&#8221;<\/p>\n<p>According to ClearSky, these artifacts may indicate a Russian-speaking developer or an operational oversight in failing to localize the malware for Ukrainian targets.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A newly identified malware campaign leveraging a Ukrainian email service to build credibility has been uncovered by cybersecurity researchers. The operation begins with an email sent from an address hosted on ukr[.]net, a popular Ukrainian provider previously abused by the Russian-linked threat actor APT28 in past campaigns. According to an\u00a0advisory by researchers at ClearSky,\u00a0\u00a0who have\u00a0named<\/p>\n","protected":false},"author":2,"featured_media":4753,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4752","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4752-1a11aad0-22bc-4b10-80c7-893771623b78-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4752","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4752"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4752\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4753"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4752"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4752"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4752"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}