Overview
- Phishing emails sent from ukr[.]net lure Ukrainian targets to a ZIP download via a tracking pixel that confirms link clicks before redirecting to the payload.
- The archive’s HTA, disguised as an HTML file, displays a Ukrainian border‑crossing decoy while querying the Windows InstallDate key to halt on systems less than ten days old.
- On passing checks, the malware extracts a VBScript and PNG, sets a scheduled task for persistence, and uses steganography in the image to load the BadPaw .NET component.
- BadPaw contacts command‑and‑control infrastructure to retrieve the MeowMeow backdoor, which activates only with a specific “-v” parameter and evades common forensic tools.
- MeowMeow enables remote shell, PowerShell execution, and file operations; ClearSky notes Russian‑language strings in the code and assesses APT28 involvement with moderate confidence, with only single‑digit antivirus detections at the time of analysis.