BadPaw multi-stage backdoor deployment targeting Ukraine
Malware Activity
Summary
Hide ▲
Show ▼
Researchers uncovered BadPaw, a multi-stage malware operation that uses ukr[.]net-hosted email lures and staged redirects to install a backdoor on Ukrainian targets. The chain hides a fake ZIP archive, disguises an HTA file as HTML, and uses a tracking pixel to confirm that the recipient engaged. It then establishes persistence with a scheduled task and VBS script before staging MeowMeowProgram[.]exe for remote shell access and file system control. The malware also includes anti-analysis checks and tool detection, making it harder to study and easier to conceal.
Related Happenings
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Ukrainian phishing campaign deploying BadPaw and MeowMeow
Campaign
First: 05.03.2026 12:10
Last: 05.03.2026 12:10
Sources 1
How related:
Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow.
About this happening:
The **APT28**-linked campaign is actively targeting **Ukrainian entities** with **phishing emails** that lead to staged malware delivery and **MeowMeow** backdoor deployment, incr...
APT28 Ukrainian phishing campaign deploying BadPaw and MeowMeow
CampaignHow related: Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow.
About this happening: The **APT28**-linked campaign is actively targeting **Ukrainian entities** with **phishing emails** that lead to staged malware delivery and **MeowMeow** backdoor deployment, incr...
BadPaw ukr[.]net credibility-building redirect campaign targeting Ukraine
Campaign
First: 04.03.2026 16:30
Last: 04.03.2026 16:30
Sources 1
How related:
A newly identified malware campaign leveraging a Ukrainian email service to build credibility has been uncovered by cybersecurity researchers.
About this happening:
The **BadPaw** campaign is using **ukr[.]net** email and redirect checks to appear credible and confirm engagement before delivering its payload, increasing the chance that **Ukra...
BadPaw ukr[.]net credibility-building redirect campaign targeting Ukraine
CampaignHow related: A newly identified malware campaign leveraging a Ukrainian email service to build credibility has been uncovered by cybersecurity researchers.
About this happening: The **BadPaw** campaign is using **ukr[.]net** email and redirect checks to appear credible and confirm engagement before delivering its payload, increasing the chance that **Ukra...
APT28 NotDoor Outlook backdoor activity
Malware Activity
First: 03.09.2025 23:49
Last: 03.09.2025 23:49
Sources 1
About this happening:
The **NotDoor** backdoor is giving **APT28** a covert way to abuse **Microsoft Outlook** for **command execution** and **data exfiltration**, expanding the threat group's reach on...
APT28 NotDoor Outlook backdoor activity
Malware ActivityAbout this happening: The **NotDoor** backdoor is giving **APT28** a covert way to abuse **Microsoft Outlook** for **command execution** and **data exfiltration**, expanding the threat group's reach on...
Timeline
-
04.03.2026 16:30 2 articles · 2mo ago
ClearSky discloses BadPaw campaign targeting Ukraine
Initial DisclosureClearSky identifies BadPaw as a multi-stage malware campaign targeting Ukraine, beginning with an email sent from ukr[.]net to build credibility, using a link that first loads a tracking pixel and then delivers a ZIP archive that is actually an HTA application in disguise, and continuing through a scheduled task, a VBS script, and steganography to stage MeowMeowProgram[.]exe for remote shell access and file system control. The malware also checks the Windows Registry for a system installation date under ten days old to avoid sandbox environments and looks for forensic tools such as Wireshark, Procmon, Ollydbg and Fiddler, while embedded Russian-language strings suggest possible developer-origin clues.
Show sources
- Multi-Stage "BadPaw" Malware Campaign Targets Ukraine — www.infosecurity-magazine.com — 04.03.2026 16:30
- APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine — thehackernews.com — 05.03.2026 12:10