ClearSky report on BadPaw and MeowMeow Russian malware © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 1 Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow March 2026 Executive Summary © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 2 ClearSky Team has identified a targeted Russian cyber campaign against Ukraine utilizing two novel malware strains, BadPaw and MeowMeow. The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim. Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor. To hinder analysis and reverse engineering, both strains are obfuscated using the .NET Reactor packer, signaling a deliberate effort by the threat actors to maintain persistence and evade detection. To ensure persistence and evade discovery, both malware strains incorporate sophisticated defense mechanisms. The campaign employs strict Parameter Validation; the malicious components remain dormant, running only “dummy” code with a benign GUI, unless executed with specific, predefined parameters. Furthermore, the MeowMeow backdoor features advanced environmental awareness. It actively scans for virtual machines and common analysis tools such as Wireshark, ProcMon, and Fiddler, immediately terminating its execution if a sandbox or researcher environment is detected. Attack Chain as part of the Russian campaign utilizing new malware ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor and with low confidence to the specific group APT28 (Fancy Bear). This assessment is based on a three-pronged analysis: • Targeting & Victimology: The focus on Ukrainian entities, combined with the geopolitical nature of the lure, aligns with Russian strategic objectives. • Linguistic Artifacts: The presence of Russian-language strings within the code suggests a development environment native to the region. © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 3 • Tactical Overlap: The multi-stage infection chain, the use of .NET-based loaders, and the specific obfuscation techniques mirror established tradecraft observed in previous Russian cyber operations. © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 4 Research Details An email file sent from Iviv_zagin_dpsu[@]ukr[.]net was recently identified following an upload from Ukraine to a public database. While the file is not currently flagged as malicious by defense systems1, it leverages ukr[.]net, a popular Ukrainian email provider. This service has been frequently used by the Russian threat actor APT28 across multiple campaigns to establish legitimacy and secure the trust of targeted victims. When a user clicks the link purportedly containing the ZIP file, the following two actions are triggered: 1. The user is first redirected to the following URL: https[://]infotrackerstatistic[.]live/open?token=2c5ef1a0fed545aaaf803964bb4da2e3 This URL hosts an exceptionally small image, or tracking pixel. We assess that when this image is loaded, the attacker receives a notification that the link has been clicked. The domain infotrackerstatistic[.]live appears to have been specifically registered by the threat actor for this purpose. 2. Simultaneously, the user is redirected to a secondary link: https[://]cutt[.]ly/0tnHM0nh Navigating to this shortened URL initiates the final download of the ZIP archive. 1 Sha256: 160e40a763dfb518dc6929c2d7838d3f9eafab09eab1e8d0b00c69f6b73d681b © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 5 The retrieved ZIP archive contains a file with an .html extension; however, this is a masquerade. Technical analysis reveals the file is actually an HTA (HTML Application). Upon execution, the HTA file drops and opens a decoy document to distract the user and reduce suspicion. The decoy contains the following text: Left: Original Ukrainian text | Right: English translation The dropped decoy document serves as a social engineering tactic, presenting a confirmation of receipt for a government appeal regarding a Ukrainian border crossing. This lure is intended to maintain the veneer of legitimacy while the HTA file executes its secondary stages in the background. To evade detection and identify potential sandbox environments, the HTA file performs an environmental check by inspecting the following Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate By querying this value, the malware calculates the "age" of the operating system. If the system was installed less than ten days prior to execution, the malware terminates. This is a common anti-analysis technique used to avoid execution on freshly provisioned virtual machines or automated analysis sandboxes. Once the environmental requirements are met, the malware initiates a recursive search for the initial ZIP archive titled “Звернення_156” (the original download). Upon locating the archive, it extracts the following secondary components: © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 6 The extracted files are saved under different names to the following path: To ensure persistence on the infected system, a scheduled task is created to execute the VBS file. Upon execution, LibHelperDemo[.]vbs accesses the accompanying image file to extract hidden data, a technique known as steganography. The script parses the image to locate a specific marker, , which is immediately followed by the embedded file size (represented in hex as 00166912, or 166,912 bytes). Following this marker, the header of a portable executable (PE) file becomes visible. This extracted data is then saved as a standalone file. The image file and its embedded technical data are shown below: The downloaded file has the following hash: Sha256: 6cad470e10c09151b5d337a082a088cfe25d697ef295e02759e1e68e8b3bbbcb At the time of analysis, the file is recognized as malicious by only nine antivirus engines. We have named this malware “BadPaw”. Its primary objective is to establish communication with a Command and Control (C2) server to download additional malicious components. BadPaw incorporates several defensive and evasion capabilities. The first layer of defense is triggered if the file is executed outside of the intended attack chain. In this scenario, the malware executes "fake" code designed to present a legitimate-looking Graphical User Interface (GUI) for a "Regex Finder" tool. This interface allows a user to upload files and search for Regex patterns. By presenting this functional decoy, the malware conceals its embedded malicious logic and prevents the execution of its primary payload. © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 7 The malicious logic is only activated when the malware is executed using the "-renew" parameter. An additional layer of defense employed by BadPaw is the use of .NET Reactor, a commercial protection and obfuscation tool for .NET assemblies. This packer obfuscates the underlying code to hinder static analysis and reverse engineering. The following image demonstrates the malware's code as it appears under the protection of .NET Reactor: © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 8 When the executable is run with the required parameter, it establishes communication with the command-and-control (C2) server: virtualdailyplanner[.]pro. This network activity initiates several key actions: Network requests to the attacker-controlled infrastructure are directed to the following URLs: • hxxps[://]virtualdailyplanner[.]pro/getcalendar: The server responds with a simple numeric string: "500". • hxxps[://]virtualdailyplanner[.]pro/eventmanager: The initial response returns a landing page titled: "Telemetry UP!". Subsequent requests to the /eventmanager endpoint result in the delivery of different data. This behavior indicates a staged or state-aware response mechanism on the C2 server. The image below illustrates the differences between the initial and subsequent data transfers: © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 9 The data received in the second stage consists of a standard HTML page containing a block of ASCII code. This payload is encapsulated between the markers /*ContactFormGroup and ContactFormGroup*/. The identified ASCII block is decoded to reconstruct an additional malware component. Following this stage, the malware communicates with the URL: hxxps[://]virtualdailyplanner[.]pro/planneractivate © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 10 Encrypted information is transferred via the AddCssStyle! parameter. Subsequently, the malware drops the following three files onto the compromised system: • Config[.]library-ms: Contains the configuration data transferred from the server via the /planneractivate endpoint. • WallpapperSet[.]jpg: Contains the raw ASCII code retrieved during the request to the /eventmanager endpoint. The final component is an additional executable, dropped after the ASCII data is converted back into a standard string. This file, named MeowMeowProgram[.]exe, serves as a persistent backdoor. Consistent with the “BadPaw” tradecraft, if this file is executed independently of the full attack chain, it initiates a dummy code sequence. This decoy execution displays a graphical user interface (GUI) featuring a picture of a cat, aligning with the visual theme of the initial image file from which the primary malware was extracted. © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 11 When the “MeowMeow” button within the decoy GUI is clicked, the application simply displays a “Meow Meow Meow” message, performing no further malicious actions. This serves as a secondary functional decoy to mislead manual analysis. Conversely, the malicious logic is only activated when the malware is executed with a specific parameter, -v, provided by the initial infection chain. The “MeowMeow” backdoor incorporates four distinct layers of protection, mirroring the tradecraft observed in the BadPaw malware: • The requirement of a unique runtime parameter to trigger malicious code. • The use of .NET Reactor to hinder static analysis. • Checks to ensure the malware is running on a target system rather than a sandbox. • Routine monitoring for forensic and monitoring tools running in the background. The following image, captured after partially stripping the .NET Reactor protection layers, illustrates the specific process checks used to identify analysis tools: The code reveals checks for well-known forensic and debugging utilities, including Wireshark, Procmon, Ollydbg, and Fiddler, among others. Additionally, the malware performs a check to determine if it is executing within a virtualized environment: © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 12 The malware features integrated shell capabilities, allowing the threat actor to remotely execute PowerShell commands on the compromised host. Additionally, the backdoor supports a variety of file system operations. These capabilities include verifying the existence of specific files, as well as the ability to delete, write, and read data from the local storage: © 2026 All rights reserved to ClearSky Security Ltd . www.clearskysec.com - info@clearskysec.com - 972-3-6240346 P a g e 13 During the analysis of the malware’s code, several revealing strings were identified: Notably, these strings are written in Russian rather than Ukrainian, which supports the assessment of a Russian-based threat actor. When translated, one of the strings reads: Time to reach working/operational condition: (\d+) seconds The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security (OPSEC) error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian development artifacts within the code during the malware’s production phase.