Russian hackers deploy new malware in phishing campaign targeting Ukraine

Steven

Russian hackers deploy new malware in phishing campaign targeting Ukraine

Summary

Researchers at ClearSky have uncovered a suspected Russian espionage campaign targeting Ukrainian recipients that uses two previously undocumented malware strains. The attack starts with a phishing email containing a ZIP archive; the malicious document inside is written in Ukrainian and poses as a border-crossing permit. When opened, the archive drops a loader called BadPaw, which subsequently installs a backdoor named MeowMeow. MeowMeow provides remote access and can read, write and delete files on infected systems, while also checking for virtual machines and analysis tooling to avoid detection. ClearSky attributes the operation with high confidence to a Russian state-aligned actor and with low confidence to APT28 (aka Fancy Bear). CERT-UA has separately reported other campaigns targeting Ukrainian government institutions this week.

Key Points

  • The campaign uses a Ukrainian-language lure (a purported border permit) delivered via ZIP attachment in phishing emails.
  • A malware loader named BadPaw installs a second-stage backdoor called MeowMeow on compromised machines.
  • MeowMeow can enumerate, read, write and delete local files and gives attackers persistent remote access.
  • Both BadPaw and MeowMeow include anti-analysis checks; MeowMeow self-terminates if it detects VMs or sandbox tools.
  • ClearSky links the activity to a Russian state-aligned actor (high confidence) and tentatively to APT28 (low confidence); emails originated from ukr.net addresses previously abused in similar campaigns.

Context and relevance

This fits a broader pattern of Russian-aligned cyber-espionage focused on Ukrainian targets, combining social-engineering lures tied to local issues with bespoke malware that resists analysis. For security teams, the campaign underlines persistent threats against government and defence-related organisations and the continued use of credential-harvesting and backdoor toolsets by state-aligned groups. CERT-UA’s separate reporting this week of other information-stealing campaigns highlights a multi-pronged pressure campaign on Ukrainian cyber infrastructure.

Why should I read this?

Short version: if you care about Ukraine, run services tied to the country, or just want to know what modern state-sponsored phishing looks like — this is worth two minutes. It shows fresh malware (BadPaw and MeowMeow), clever local-language lures and sandbox-evasion tricks that make detection harder. Handy heads-up for defenders and analysts.

Source

Source: https://therecord.media/russian-ukraine-hackers-malware