BadPaw Opens the Door: APT28 Unleashes MeowMeow Backdoor in New Cyber Espionage Campaign

Aegiron 12 mins0

APT28 “BadPaw / MeowMeow” Campaign

Overview of the Incident

A targeted cyber-espionage campaign has been identified involving the Russian state-linked threat group commonly known as APT28 (also referred to as Fancy Bear). The operation focuses on Ukrainian organizations and appears to be designed primarily for intelligence collection rather than immediate disruption.

The attackers used carefully crafted phishing emails to trick victims into opening malicious attachments. Once the attachment is executed, a staged malware infection begins. The first stage involves a loader named BadPaw, which prepares the compromised system and deploys a more advanced backdoor called MeowMeow.

The MeowMeow backdoor allows the attackers to access files, monitor activity on the system, and communicate with remote command servers. This enables the threat actors to quietly gather sensitive information from the infected environment over time.

The campaign demonstrates a classic multi-stage intrusion chain that combines social engineering with stealthy malware deployment.

What Happened

Security analysts identified a wave of targeted phishing emails sent to Ukrainian government and institutional email accounts. The emails appeared legitimate and were often sent from addresses belonging to common Ukrainian email service providers.

Attached to the email was a compressed ZIP archive that looked like a normal document or report. Once the user extracted and ran the file inside the archive, the system became infected.

The infection process occurred in multiple stages:

  1. Victim receives a phishing email.
  2. Victim downloads and opens a ZIP attachment.
  3. A malicious executable inside the archive is launched.
  4. The executable installs the BadPaw loader.
  5. BadPaw decrypts and loads the MeowMeow backdoor.
  6. The backdoor connects to attacker-controlled command servers.

From that point onward, the attackers gain persistent remote access to the infected machine.

How the Attack Happened

The attackers relied primarily on spear-phishing, which means the emails were tailored for specific organizations or individuals.

The emails were designed to look legitimate and often contained:

• Government documents
• Security advisories
• Administrative notices
• Internal communications

Because the sender addresses came from legitimate Ukrainian email domains, the messages were less likely to be flagged as suspicious.

The ZIP archive attachment usually contained one of the following:

• A disguised executable file
• A document with a malicious embedded executable
• A shortcut file launching malware

When the victim executed the file, the malware chain started.

Initial Access Vector

The primary entry point was phishing emails with malicious ZIP attachments.

No evidence indicates exploitation of a software vulnerability in this stage. Instead, the attack relies on user interaction, meaning the victim must open and execute the file.

This technique is commonly used in espionage campaigns because it avoids triggering many automated security defenses.

Payloads Used

The attack uses two main payloads.

1. BadPaw Loader

BadPaw is a .NET-based malware loader.

Its purpose is to act as the initial stage that prepares the system for the main malware.

Key functions include:

• Decrypting embedded payloads
• Executing malware in memory
• Establishing persistence
• Avoiding detection by security tools

BadPaw typically runs in memory after being launched by the initial malicious file. It decrypts the next payload and loads it without writing it to disk when possible.

This makes detection more difficult for traditional antivirus solutions.

2. MeowMeow Backdoor

MeowMeow is the primary espionage tool used in this campaign.

Once installed, it provides attackers with persistent access to the compromised machine.

Capabilities include:

• File browsing and manipulation
• Uploading and downloading files
• Executing commands remotely
• Gathering system information
• Monitoring user activity
• Establishing communication with remote command servers

The malware can periodically check in with the attacker’s infrastructure to receive instructions.

Because it operates quietly in the background, infected systems may remain compromised for long periods without detection.

Persistence Mechanisms

The malware establishes persistence to survive system reboots.

Common techniques observed include:

• Scheduled tasks
• Registry run keys
• Startup folder entries

These methods allow the malware to automatically launch whenever the system starts.

Command and Control Communication

After installation, the backdoor attempts to contact remote servers controlled by the attackers.

Communication is typically encrypted or obfuscated to avoid detection.

The malware periodically sends information such as:

• System hostname
• Operating system details
• User privileges
• File listings

The command server then responds with instructions such as executing commands or transferring files.

Systems Impacted

The campaign appears to target organizations in Ukraine, particularly in sectors related to national security and governance.

Likely affected sectors include:

• Government agencies
• Military organizations
• Critical infrastructure
• Media organizations
• Policy institutions

The goal appears to be long-term intelligence collection rather than destructive attacks.

Indicators of Compromise (IOCs)

Below are common indicators associated with this campaign.

Suspicious File Types

Watch for the following file patterns:

*.zip attachments containing executable files
*.exe files disguised as documents
*.lnk files inside archives

Common file naming patterns:

Report_Update.zip
Security_Notice.zip
Document_Report.exe
Update_Document.exe

Suspicious Process Behavior

Look for unexpected execution of:

powershell.exe
cmd.exe
rundll32.exe
mshta.exe

Spawned by suspicious executables located in:

%TEMP%
%APPDATA%
%LOCALAPPDATA%

Suspicious Network Activity

Potential command-and-control indicators:

Frequent outbound HTTPS connections to unknown domains
Connections shortly after opening suspicious attachments
Encrypted traffic to uncommon external servers

Traffic patterns may show regular beaconing intervals.

Registry Indicators

Persistence may be added in:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Suspicious registry values may point to executables in temporary folders.

Anti-Analysis and Evasion

The malware attempts to avoid detection using several techniques.

These may include:

• Code obfuscation
• Encrypted payloads
• In-memory execution
• Delayed execution timers
• Environment checks

Some samples attempt to detect if they are running in sandbox environments and will stop execution if analysis tools are detected.

Detection Guidance

Security teams should monitor for unusual execution patterns.

Behavior to Monitor

• Execution of files from compressed archives
• New executables running from temporary directories
• Suspicious child processes spawned by document files
• Unusual scheduled tasks created after email attachments are opened

Detection Rule (Sigma Style)

title: Suspicious Execution from ZIP Extracted Directorylogsource:
  product: windows
  category: process_creationdetection:
  selection:
    Image|endswith:
      - '.exe'
    CommandLine|contains:
      - 'AppData'
      - 'Temp'  condition: selectionfields:
  - Image
  - CommandLine
  - ParentImage

Threat Hunting Guidance

Threat hunters should look for anomalies across endpoints.

Key hunting queries include:

1. Executables launched from archive extraction paths

Search for processes launched from:

Downloads
Temp
AppData

2. Suspicious Parent-Child Relationships

Examples:

explorer.exe → suspicious.exe
winword.exe → powershell.exe
excel.exe → cmd.exe

3. Network Beaconing

Look for systems that connect to the same external IP address repeatedly at fixed intervals.

This behavior often indicates command-and-control communication.

4. Persistence Artifacts

Investigate:

New scheduled tasks
Startup folder additions
Registry Run keys

Mitigation and Prevention

Organizations can reduce exposure to this type of attack through several measures.

Email Security

• Block ZIP attachments from unknown senders
• Enable advanced phishing filtering
• Scan archives for embedded executables

Endpoint Protection

• Deploy behavior-based EDR tools
• Monitor suspicious process activity
• Restrict execution from temporary directories

User Awareness

Employees should be trained to recognize suspicious emails and attachments.

Users should avoid opening compressed attachments from unknown senders.

Conclusion

The BadPaw and MeowMeow campaign represents a carefully structured cyber-espionage operation targeting Ukrainian organizations. The attackers rely heavily on social engineering to gain initial access, followed by stealthy malware designed to remain hidden while collecting intelligence.

By combining phishing tactics with staged malware deployment, the attackers can infiltrate systems and maintain access for extended periods. Effective defense requires strong email filtering, endpoint monitoring, and proactive threat hunting to detect suspicious behaviors before significant data exposure occurs.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.