Full Report
Researchers from the ClearSky Team uncovered a targeted Russian cyber campaign against Ukraine, leveraging two previously unseen malware... The post ClearSky exposes Russian cyber operation targeting Ukraine with newly discovered BadPaw, MeowMeow malware appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Russian State-Aligned (Low Confidence: APT28)
## Attribution & Identity
ClearSky Team attributes this campaign with **high confidence** to a Russian state-aligned threat actor. There is **low confidence** attribution specifically to **APT28 (Fancy Bear)**. The attribution is based on the use of Russian-language strings in the code, tradecraft consistent with previous Russian operations, and alignment with Russian strategic geopolitical goals.
## Activity Summary
Researchers identified a 2026 cyber campaign targeting Ukraine using a newly discovered malware duo: **BadPaw** and **MeowMeow**. The operation utilizes a multi-stage infection chain beginning with spear-phishing and employs high levels of evasion to maintain a persistent presence within critical Ukrainian networks.
## Tactics, Techniques & Procedures
* **Spear-Phishing:** Delivery via emails containing ZIP archives with geopolitical lures (e.g., appeals regarding Ukrainian border crossings).
* **Obfuscation:** Extensive use of **.NET Reactor**, a commercial protection tool, to hinder static analysis and reverse engineering.
* **Defense Evasion:**
* **Decoy Payload:** If executed without a specific parameter (`-renew`), the malware displays a legitimate-looking "Regex Finder" tool to mask its malicious logic.
* **Environment Awareness:** Capabilities to detect sandboxes or virtual environments and terminate execution.
* **Staged Execution:** Malicious components are only activated upon specific C2 triggers and command-line parameters.
* **C2 Communication:** Multi-stage communication using specific endpoints like `/eventmanager` and `/planneractivate`.
* **Data Encoding:** Usage of ASCII-encoded data embedded between specific HTML markers (`/ContactFormGroup`) to deliver secondary payloads.
* **Persistence:** Deployment of the MeowMeow backdoor.
## Targeting
* **Sectors:** Critical Infrastructure, Government, and Border Security.
* **Geography:** Ukraine.
* **Victims:** Ukrainian entities involved in border crossing appeals and related administrative functions.
## Tools & Infrastructure
* **BadPaw:** A .NET-based loader designed for initial C2 establishment and payload delivery.
* **MeowMeow:** A sophisticated .NET backdoor designed for stealth, persistence, and data exfiltration.
* **Infrastructure:**
* **Endpoints:** `hxxp[:]//[domain]/eventmanager`, `hxxp[:]//[domain]/planneractivate`.
* **Markers:** Uses `AddCssStyle!` parameter for transmitting encrypted data.
## Implications
This campaign represents a refined level of Russian cyber tradecraft focused on long-term intelligence gathering and persistence. The use of "sleeper" logic (parameters required for activation) and functional decoys suggests a strategic intent to bypass automated sandbox analysis and human triage, ensuring that only targeted victims are fully infected.
## Mitigations
* **Parameter Monitoring:** Monitor for suspicious .NET execution involving unknown command-line arguments like `-renew`.
* **Binary Analysis:** Use advanced de-obfuscation tools capable of handling .NET Reactor to inspect suspiciously large .NET assemblies.
* **Email Security:** Block ZIP attachments from external sources containing LNK files or executable content mimicking administrative documents.
* **Network Filtering:** Monitor and flag traffic to unusual URI endpoints mimicking legitimate management services (e.g., `eventmanager` or `planneractivate`) on non-standard domains.
* **Endpoint Detection:** Deploy EDR solutions capable of detecting "living-off-the-land" transitions from legitimate-looking tools to encrypted network communications.