APT28 Ukrainian phishing campaign deploying BadPaw and MeowMeow
Campaign
Summary
Hide ▲
Show ▼
The APT28-linked campaign is actively targeting Ukrainian entities with phishing emails that lead to staged malware delivery and MeowMeow backdoor deployment, increasing the risk of initial access and post-compromise control. The infection chain uses a ZIP archive, an HTA lure document, and a .NET-based loader called BadPaw to fetch follow-on payloads. The activity matters because the backdoor can execute PowerShell commands and perform file system operations on compromised hosts. The attribution was made with moderate confidence based on the targeting footprint, lure themes, and technique overlap with prior Russian operations.
Related Happenings
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
Campaign
First: 19.03.2026 16:55
Last: 19.03.2026 16:55
Sources 1
About this happening:
**APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 long-term espionage campaign targeting Ukrainian military personnel
Campaign
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 long-term espionage campaign targeting Ukrainian military personnel
CampaignAbout this happening: A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware Activity
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware ActivityAbout this happening: The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
BadPaw multi-stage backdoor deployment targeting Ukraine
Malware Activity
First: 04.03.2026 16:30
Last: 04.03.2026 16:30
Sources 1
How related:
In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy a sophisticated backdoor called MeowMeow.
About this happening:
Researchers uncovered **BadPaw**, a multi-stage **malware** operation that uses **ukr[.]net**-hosted email lures and staged redirects to install a backdoor on **Ukrainian** target...
BadPaw multi-stage backdoor deployment targeting Ukraine
Malware ActivityHow related: In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy a sophisticated backdoor called MeowMeow.
About this happening: Researchers uncovered **BadPaw**, a multi-stage **malware** operation that uses **ukr[.]net**-hosted email lures and staged redirects to install a backdoor on **Ukrainian** target...
Timeline
-
05.03.2026 12:10 2 articles · 2mo ago
Researchers disclose BadPaw and MeowMeow campaign targeting Ukrainian entities
Initial DisclosureResearchers disclosed a new Russian cyber campaign targeting Ukrainian entities with two previously undocumented malware families, BadPaw and MeowMeow. The delivery chain uses a phishing email from ukr[.]net that points to a ZIP archive, an HTA lure document about Ukrainian border-crossing appeals, sandbox checks against the Windows Registry key "KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate", a scheduled task for persistence, and a PNG-hidden VBScript that extracts BadPaw, contacts a remote server, and deploys MeowMeow for remote PowerShell execution and file read, write, and delete operations. The backdoor is activated with the "-v" parameter and avoids analysis environments by checking for tools like Wireshark, Procmon, Ollydbg, and Fiddler. ClearSky assessed the activity with moderate confidence as APT28-linked based on the targeting footprint, the geopolitical nature of the lures, overlaps with previous Russian cyber operations, and Russian-language strings in the source code.
Show sources
- APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine — thehackernews.com — 05.03.2026 12:10
- APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine — thehackernews.com — 05.03.2026 12:10