BadPaw ukr[.]net credibility-building redirect campaign targeting Ukraine
Campaign
Summary
Hide ▲
Show ▼
The BadPaw campaign is using ukr[.]net email and redirect checks to appear credible and confirm engagement before delivering its payload, increasing the chance that Ukraine-linked recipients will execute the infection chain. The operation combines a tracking pixel, a staged ZIP delivery, and a disguised HTA file to move victims toward backdoor installation.
Related Happenings
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
Campaign
First: 19.03.2026 16:55
Last: 19.03.2026 16:55
Sources 1
About this happening:
**APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 Ukrainian phishing campaign deploying BadPaw and MeowMeow
Campaign
First: 05.03.2026 12:10
Last: 05.03.2026 12:10
Sources 1
About this happening:
The **APT28**-linked campaign is actively targeting **Ukrainian entities** with **phishing emails** that lead to staged malware delivery and **MeowMeow** backdoor deployment, incr...
APT28 Ukrainian phishing campaign deploying BadPaw and MeowMeow
CampaignAbout this happening: The **APT28**-linked campaign is actively targeting **Ukrainian entities** with **phishing emails** that lead to staged malware delivery and **MeowMeow** backdoor deployment, incr...
BadPaw multi-stage backdoor deployment targeting Ukraine
Malware Activity
First: 04.03.2026 16:30
Last: 04.03.2026 16:30
Sources 1
How related:
The decoded data ultimately deploys a backdoor named "MeowMeowProgram[.]exe," which provides remote shell access and file system control.
About this happening:
Researchers uncovered **BadPaw**, a multi-stage **malware** operation that uses **ukr[.]net**-hosted email lures and staged redirects to install a backdoor on **Ukrainian** target...
BadPaw multi-stage backdoor deployment targeting Ukraine
Malware ActivityHow related: The decoded data ultimately deploys a backdoor named "MeowMeowProgram[.]exe," which provides remote shell access and file system control.
About this happening: Researchers uncovered **BadPaw**, a multi-stage **malware** operation that uses **ukr[.]net**-hosted email lures and staged redirects to install a backdoor on **Ukrainian** target...
Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations
Campaign
First: 02.02.2026 14:45
Last: 02.02.2026 14:45
Sources 1
About this happening:
**Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....
Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations
CampaignAbout this happening: **Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....
Latest development: 10.03.2026 12:00
ESET says APT28 has used a custom variant of Covenant together with BeardShell since April 2024 against Ukrainian targets, including Ukrainian military personnel and central executive bodies of Ukraine, with recent attacks exploiting CVE-2026-21509 in Microsoft Office via malicious DOC files. Covenant is the primary implant and BeardShell is the fallback, while Icedrive, Filen, Koofr, and pCloud are used for C2 infrastructure.
Microsoft Office actively exploited security feature bypass (CVE-2026-21509)
Vulnerability
First: 27.01.2026 09:19
Last: 27.01.2026 09:19
Sources 1
About this happening:
**CVE-2026-21509** is a **7.8 CVSS** Microsoft Office **security feature bypass** that was **actively exploited** to bypass **OLE mitigations** and deliver malicious Office files....
Microsoft Office actively exploited security feature bypass (CVE-2026-21509)
VulnerabilityAbout this happening: **CVE-2026-21509** is a **7.8 CVSS** Microsoft Office **security feature bypass** that was **actively exploited** to bypass **OLE mitigations** and deliver malicious Office files....
Timeline
-
04.03.2026 16:30 2 articles · 2mo ago
BadPaw campaign disclosed targeting Ukraine
Initial DisclosureA newly identified BadPaw malware campaign targets Ukraine by sending emails from ukr[.]net to appear credible, redirecting recipients through a tracking pixel before delivering a ZIP archive that is actually an HTA application, then using a scheduled task and VBS script for persistence and hidden payload extraction. The staged chain ultimately connects to a C2 server, deploys MeowMeowProgram[.]exe for remote shell and file system control, checks whether the host is less than ten days old to evade sandboxes, and includes anti-analysis checks for tools such as Wireshark, Procmon, Ollydbg and Fiddler; Russian-language strings in the code suggest a Russian-speaking developer or localization oversight.
Show sources
- Multi-Stage "BadPaw" Malware Campaign Targets Ukraine — www.infosecurity-magazine.com — 04.03.2026 16:30
- Multi-Stage "BadPaw" Malware Campaign Targets Ukraine — www.infosecurity-magazine.com — 04.03.2026 16:30