A ClearSky report details a new loader and backdoor pair, and Scythe shows how to operationalise it as continuous adversary emulation.
APT28, Ukraine, phishing, steganography, .NET malware, adversary emulation, Windows
Affected vendor / product: Microsoft Windows endpoints
Primary issue: Spearphishing-delivered, parameter-gated .NET loader (BadPaw) deploying a backdoor (MeowMeow)
Exploitation status: Observed in the wild (phishing campaign) (ClearSky Cyber Security)
Confidence level: Russia state-aligned actor (High); APT28 attribution (Low) (ClearSky Cyber Security)
Sectors at risk: Government, energy (Ukraine-centric targeting reported) (Scythe)
Regions at risk: Ukraine (primary), adjacent regional organisations with Ukraine-facing operations (Possible)
Executive Summary
ClearSky has documented an active phishing campaign targeting Ukrainian entities and delivering two previously undocumented malware strains: BadPaw (a .NET loader) and MeowMeow (a backdoor). (ClearSky Cyber Security) The chain blends social engineering with multiple layers of defensive tradecraft, including strict runtime parameter checks, sandbox evasion via system “age” checks, and steganographic payload extraction from a PNG. (ClearSky Cyber Security)
Attribution is deliberately cautious: ClearSky assesses high confidence that the campaign is Russia state-aligned, but only low confidence that it is specifically APT28. (ClearSky Cyber Security) Open-source reporting has described the activity as “APT28-linked”, but this is not uniformly supported at high confidence by the primary report. (The Hacker News)
Separately, Scythe has published a practitioner-focused walkthrough showing how to translate ClearSky’s reporting into repeatable adversary emulation for ongoing control validation, rather than a one-off lab exercise. (Scythe)
Context
ClearSky states the initial artefact was identified following an upload from Ukraine to a public database, and notes the use of ukr[.]net addresses as a credibility play against Ukrainian recipients. (ClearSky Cyber Security) The lure theme centres on Ukrainian border crossing appeals and related “official” documentation, supported by decoy content opened during execution. (ClearSky Cyber Security)
ClearSky’s attribution rationale combines victimology (Ukraine-focused), Russian-language artefacts in code, and tradecraft overlap with previous Russian operations. However, it explicitly labels APT28 attribution as low confidence. (ClearSky Cyber Security)
Technical Analysis
Infection chain
1) Phishing with click-tracking and download redirection
The phishing email includes a link that triggers two actions: a redirect to a tracking pixel hosted on infotrackerstatistic[.]live (to signal link clicks), and a redirect via a cutt[.]ly short URL to deliver the ZIP archive. (ClearSky Cyber Security)
2) HTA masquerading as HTML plus sandbox evasion
The retrieved ZIP contains a file presented with an .html extension, but analysis shows it is an HTA (HTML Application). (ClearSky Cyber Security) During execution it drops and opens a decoy document, then performs an environment check by reading HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate and terminating if the OS appears freshly installed (under ten days). (ClearSky Cyber Security)
3) Secondary stage extraction, persistence, and steganography
After locating the original ZIP (named “Звернення_156”), the malware extracts a VBS and a PNG (ClearSky shows the PNG as CAT.png and the script as LibHelperDemo.vbs), then saves them under different names and locations. ClearSky’s screenshots show mshta.exe writing the renamed artefacts into an UpdateHelpers directory under the user profile, and a scheduled task being created to execute the VBS for persistence.
The VBS parses the PNG and extracts a PE payload hidden after a <STEGO_START> marker, consistent with steganographic staging. (ClearSky Cyber Security) ClearSky names the extracted loader “BadPaw”. (ClearSky Cyber Security)
BadPaw loader behaviour
BadPaw is a .NET loader obfuscated with .NET Reactor. (ClearSky Cyber Security) ClearSky reports that if executed outside the intended chain it presents a benign decoy GUI (“Regex Finder”), with malicious logic only triggered when launched with the -renew parameter. (ClearSky Cyber Security)
When properly triggered, BadPaw communicates with virtualdailyplanner[.]pro and uses multiple endpoints (including /getcalendar, /eventmanager, and /planneractivate) in a staged fashion to retrieve additional content. (ClearSky Cyber Security)
MeowMeow backdoor behaviour
ClearSky describes MeowMeow as a persistent backdoor dropped later in the chain (shown as MeowMeowProgram.exe). (ClearSky Cyber Security) As with BadPaw, it includes a decoy mode when executed standalone (a cat-themed GUI), and requires a specific runtime parameter (-v) to activate malicious functionality. (ClearSky Cyber Security)
ClearSky reports multiple defensive layers: .NET Reactor obfuscation, checks for sandbox and virtualised environments, and continuous monitoring for analysis tools such as Wireshark, Procmon, Ollydbg, and Fiddler, terminating if found. (ClearSky Cyber Security) Reported core capabilities include remote PowerShell execution and file system operations (read, write, delete). (The Hacker News)
Threat actor assessment
Confirmed: ClearSky assesses the campaign as Russia state-aligned with high confidence. (ClearSky Cyber Security)
Likely: Some open-source reporting describes the activity as APT28-linked, citing the use of ukr[.]net addresses and tradecraft overlap. (The Hacker News)
Confidence note: ClearSky’s own APT28 attribution is low confidence, and victim identities and operational outcomes are not publicly detailed. (ClearSky Cyber Security)
For background on APT28’s widely reported profile and aliases, refer to MITRE’s APT28 entry. (MITRE ATT&CK)
MITRE ATT&CK mapping
| Tactic | Technique ID | Technique name | Observed behaviour |
|---|---|---|---|
| Initial Access | T1566.002 (MITRE ATT&CK) | Spearphishing Link | Email-delivered link redirects to tracking pixel and download chain |
| Execution / Defence Evasion | T1218.005 (MITRE ATT&CK) | Mshta | HTA execution and staging shown involving mshta.exe |
| Defence Evasion | T1497.001 (MITRE ATT&CK) | System Checks | Reads OS install date to evade sandboxes |
| Defence Evasion | T1027.003 (MITRE ATT&CK) | Steganography | Extracts PE payload hidden in PNG after <STEGO_START> |
| Defence Evasion | T1027.002 (MITRE ATT&CK) | Software Packing | BadPaw and MeowMeow obfuscated with .NET Reactor (ClearSky Cyber Security) |
| Persistence | T1053.005 (MITRE ATT&CK) | Scheduled Task | Scheduled task created to run VBS stage (ClearSky Cyber Security) |
| Command and Control | T1071.001 (MITRE ATT&CK) | Web Protocols | HTTPS C2 to virtualdailyplanner[.]pro endpoints |
| Execution | T1059.001 (MITRE ATT&CK) | PowerShell | Backdoor supports remote PowerShell command execution (ClearSky Cyber Security) |
Indicators of Compromise
| Type | Value | Context / Notes | Source | Confidence |
|---|---|---|---|---|
| Email sender | lviv_zagin_dpsu[@]ukr[.]net | Reported sender address used in the lure | ClearSky report (March 2026) | Confirmed |
| URL (tracking) | https[://]infotrackerstatistic[.]live/open?token=… | Tracking pixel to confirm link clicks | ClearSky report (ClearSky Cyber Security) | Confirmed |
| URL shortener | https[://]cutt[.]ly/0tnHM0nh | Redirect to final ZIP download | ClearSky report (ClearSky Cyber Security) | Confirmed |
| Domain (C2) | virtualdailyplanner[.]pro | BadPaw C2 domain | ClearSky report (ClearSky Cyber Security) | Confirmed |
| URL paths | /getcalendar; /eventmanager; /planneractivate | Staged retrieval and activation flow | ClearSky report (ClearSky Cyber Security) | Confirmed |
| File hash (likely initial email artefact) | SHA-256: 160e40a763dfb518dc6929c2d7838d3f9eafab09eab1e8d0b00c69f6b73d681b | Listed in report footnote associated with the identified email file | ClearSky report (ClearSky Cyber Security) | Confirmed (context limited) |
| File hash (BadPaw) | SHA-256: 6cad470e10c09151b5d337a082a088cfe25d697ef295e02759e1e68e8b3bbbcb | BadPaw payload extracted from PNG | ClearSky report | Confirmed |
| File path | C:\Users\admin\AppData\Local\UpdateHelpers\UpdateHelper.vbs | Renamed VBS stage written by mshta.exe | ClearSky report (screenshot) | Confirmed |
| File path | C:\Users\admin\AppData\Local\UpdateHelpers\HelperLogo.png | Renamed PNG carrier written by mshta.exe | ClearSky report (screenshot) | Confirmed |
| Dropped file | C:\Users\Public\Libraries\config.library-ms | Contains configuration data retrieved from C2 | ClearSky report (screenshot) | Confirmed |
| Dropped file | C:\Users\admin\Pictures\WallpapperSet.jpg | Contains ASCII code retrieved from /eventmanager | ClearSky report (screenshot) | Confirmed |
| Dropped file | C:\Users\admin\AppData\Local\MeowCheck\MeowMeowProgram.exe | MeowMeow backdoor | ClearSky report (screenshot) | Confirmed |
Incident Response Guidance
Triage and scoping
- Hunt for
mshta.exeexecutions that originate from user download locations and immediately create VBS/PNG artefacts underAppData\Local\UpdateHelpers. - Identify scheduled task creation events that invoke VBS execution paths consistent with
UpdateHelper.vbs. (ClearSky Cyber Security) - Proxy and DNS telemetry: investigate endpoints contacting
virtualdailyplanner[.]pro, particularly the/getcalendar,/eventmanager, and/planneractivatepaths.
Containment
- Block the identified infrastructure at DNS and web proxy layers (defanged indicators above).
- Isolate hosts showing the UpdateHelpers artefacts plus C2 traffic patterns, as this suggests successful stage progression.
Forensic artefacts to collect
- Copies of
config.library-ms,WallpapperSet.jpg, andMeowMeowProgram.exefrom affected hosts, plus scheduled task definitions referencing the VBS stage. - Full process trees around
mshta.exe, script hosts, and any subsequent executable launches that include suspicious command-line parameters (-renew,-v). (ClearSky Cyber Security)
Mitigation Recommendations
- Reduce HTA abuse: restrict or monitor HTA execution and
mshta.exeusage in user contexts; prioritise alerting when HTA execution is followed by script drop and scheduled task creation. (MITRE ATT&CK) - Control script execution: harden Windows Script Host exposure and monitor VBS execution from user-writable directories.
- Detect steganographic staging: alert on scripts that read image files and write PE-like output, especially where image parsing markers are present. (MITRE ATT&CK)
- Short-link hygiene: consider policy or technical controls that flag link shorteners and unusual redirect chains in inbound email.
- Continuous validation: where feasible, convert the reported chain into adversary emulation and run it routinely to measure whether controls still detect and stop key behaviours after environment changes, as demonstrated by Scythe. (Scythe)
Further Reading
- ClearSky: full report PDF on BadPaw and MeowMeow (ClearSky Cyber Security)
- ClearSky: campaign summary post (ClearSky Cyber Security)
- Scythe: “APT28 BadPaw/MeowMeow” adversary emulation walkthrough (Scythe)
- MITRE ATT&CK: APT28 group profile (MITRE ATT&CK)