APT28 Escalates Cyber Warfare: Inside the BadPaw and MeowMeow Malware Campaign

The digital frontlines in Eastern Europe continue to shift as Russian state-sponsored actors refine their tradecraft. Recent intelligence highlights a disturbing escalation by APT28 (also known as Fancy Bear), a group historically aligned with Russia's GRU military intelligence agency. In a campaign specifically targeting Ukrainian entities, the group has deployed two previously undocumented malware families: BadPaw, a stealthy loader, and MeowMeow, a persistent backdoor.

At Security Arsenal, we are analyzing this campaign to help defenders understand the chain of custody—from the initial phishing lure to the final payload—and how to stop it before it establishes a foothold.

Campaign Analysis: The Attack Chain

This operation demonstrates APT28's continued reliance on social engineering, but with a twist on delivery mechanisms designed to bypass standard email filters. The attack follows a precise, multi-stage execution path:

1. The Lure: Weaponizing Humanitarian Concerns

The campaign initiates with a highly targeted phishing email. Rather than generic financial lures, the attackers exploit the geopolitical context by using a topic critical to Ukrainians: border crossing appeals. The email contains a link to a ZIP archive. Once the victim downloads and extracts the archive, they are presented with an HTML Application (HTA) file.

HTA files are a favored vector for advanced persistent threats because they combine the flexibility of HTML with the power of ActiveX, allowing them to execute code on the local system under the user's permissions.

2. Execution: The BadPaw Loader

When the user opens the HTA file, they are shown a decoy document written in Ukrainian regarding the border crossing appeal. This visual distraction serves a dual purpose: it convinces the user the file is legitimate, and it keeps them occupied while the malicious code executes in the background.

Behind the scenes, the HTA file triggers the BadPaw loader. As a loader, BadPaw's primary job is "footprinting" the victim's machine and establishing a connection to the attacker's command and control (C2) infrastructure. It is designed to be lightweight and evasive, often using obfuscation to slip past signature-based antivirus defenses.

3. Payload Delivery: The MeowMeow Backdoor

Once BadPaw has secured a connection and verified the environment, it retrieves and executes the second-stage payload: MeowMeow. This backdoor provides the attackers with remote access to the infected system. While details are still emerging regarding MeowMeow's full feature set, backdoors of this caliber typically include capabilities for:

• Remote Code Execution (RCE): Running arbitrary commands.
• Lateral Movement: Stealing credentials to move across the network.
• Data Exfiltration: Siphoning sensitive documents to attacker-controlled servers.

Detection and Threat Hunting

Defending against this campaign requires visibility into the initial execution vectors—specifically, the unusual use of HTA files and the processes they spawn. Below are actionable queries and scripts for your security operations team.

KQL Queries for Microsoft Sentinel / Defender

Use the following KQL query to hunt for suspicious mshta.exe execution, which is the native Windows binary used to run HTA files. We look for instances where HTA files are launched from user directories or download folders, which is atypical for legitimate business applications.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "mshta.exe"
| where ProcessCommandLine has ".hta" 
| extend FilePath = extract(@'([^\]+\.hta)', 1, ProcessCommandLine)
| where InitiatingProcessFileName !in ("explorer.exe", "cmd.exe") // Reduce noise by excluding common parent processes if necessary, though attackers may spoof these
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Additionally, you should monitor for the creation of the specific file types mentioned in the attack chain within user writeable directories.

DeviceFileEvents
| where Timestamp > ago(3d)
| where FileName endswith ".hta" or FileName endswith ".zip"
| where FolderPath contains "Downloads" or FolderPath contains "Desktop" or FolderPath contains "Documents"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| order by Timestamp desc

PowerShell Hunting Script

Security analysts can use this PowerShell script to scan endpoints for recently created or modified HTA files, which are rare in most corporate environments.

# Scan for HTA files modified in the last 7 days in user profiles
$DateCutoff = (Get-Date).AddDays(-7)
$UserProfiles = Get-ChildItem "C:\Users" -Directory -Exclude "Public", "Default*", "*.NET*"

foreach ($Profile in $UserProfiles) {
    $Path = $Profile.FullName
    Write-Host "Scanning $Path for HTA files..." -ForegroundColor Cyan
    
    Get-ChildItem -Path $Path -Recurse -Include *.hta -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -gt $DateCutoff } | 
    Select-Object FullName, LastWriteTime, Length, @{Name='SHA256';Expression={(Get-FileHash $_.FullName -Algorithm SHA256).Hash}}
}

Mitigation Strategies

To harden your organization against APT28's evolving tactics, implement the following controls immediately:

1. Restrict HTA Execution: Application Whitelisting (AppLocker) should be configured to block the execution of .hta files for standard users. In most business contexts, there is no legitimate need for HTA files.

2. Email Filtering: Update your Secure Email Gateway (SEG) rules to block or sandbox .zip archives that contain .hta files or Javascript components.

3. Mark of the Web (MotW): Ensure your Microsoft Office and Windows security policies are configured to strictly enforce "Mark of the Web" protections. This prevents macros and scripts from running in files downloaded from the internet.

4. User Education: Remind your users specifically about the risks of ZIP files in emails related to current events or humanitarian crises. Encourage them to verify the sender through a secondary channel before opening attachments.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub