Back to Intelligence

APT28 Escalates Ukrainian Cyber Operations with BadPaw Loader and MeowMeow Backdoor

SA
Security Arsenal Team
March 13, 2026
2 min read

Introduction

The digital frontlines in Eastern Europe remain as volatile as ever, with state-sponsored actors continuously refining their arsenals. Recently, cybersecurity researchers uncovered a fresh offensive campaign attributed to the notorious Russian threat group APT28 (also known as Fancy Bear). This operation marks a significant escalation in tradecraft, deploying two previously undocumented malware families—dubbed BadPaw and MeowMeow—specifically designed to infiltrate Ukrainian critical infrastructure and government entities.

While APT28 is a veteran player in the cyber warfare arena, the introduction of new loaders and backdoors signals a deliberate shift to bypass legacy defenses. Understanding the mechanics of this attack chain is crucial for organizations worldwide, as these tactics often migrate beyond their initial geopolitical targets.

Attack Chain Analysis

This campaign demonstrates a high degree of social engineering and technical sophistication. The adversaries rely on the tried-and-true method of phishing but have tweaked the delivery mechanism to evade detection.

The Delivery Mechanism

The infection vector begins with a phishing email tailored to the recipient's context. Rather than attaching a malicious file directly—which often triggers secure email gateways—the email contains a link to a ZIP archive hosted on an external server.

Once the victim downloads and extracts the archive, they are presented with an HTML Application (HTA) file. HTA files are a favorite among attackers because they blend the power of Internet Explorer's scripting engine with the local system's trust. When the user executes the HTA, it renders a decoy document written in Ukrainian regarding border crossing appeals. This "lure" is designed to distract the user while malicious scripts run silently in the background, establishing the initial foothold.

The Payload: BadPaw and MeowMeow

The malware ecosystem uncovered in this attack consists of two distinct components working in tandem:

  1. BadPaw Loader: This initial payload acts as the "dumper
incident-responseransomwareforensicsapt28threat-huntingmalware-analysisukrainehta

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action