Russian hackers are deploying cat-themed malware in Ukraine, using decoy documents and fake GUIs to mislead analysts—while quietly stealing data.
Cybersecurity researchers disclosed a new Russian cyber campaign targeting Ukrainian entities with two undocumented malware families: BadPaw and MeowMeow.
The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim.
"The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim," said ClearSky.
The campaign is attributed with moderate confidence to APT28 (a Russian state-sponsored group) based on targeting patterns and geopolitical lures. Phishing emails use ukr[.]net domains and include a tracking pixel via an 'exceptionally small image' to confirm link clicks.
The HTA file avoids sandbox detection by checking the Windows Registry key `KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate` to verify the OS installation age. ClearSky noted that the presence of Russian-language strings suggests an operational security (OPSEC) error or accidental development artifacts.
"The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security (OPSEC) error... or they inadvertently left Russian development artifacts within the code," said ClearSky.
MeowMeow's malicious code activates only when executed with the '-v' parameter, after verifying no forensic tools (Wireshark, Procmon, etc.) are running. The malware supports PowerShell command execution, file system operations, and persistence via scheduled tasks.
Source: Clearskysec | Thehackernews