MeowMeow

MeowMeow is a previously undocumented backdoor reported by ClearSky as part of a Russia-linked phishing campaign targeting Ukrainian organizations and entities. In the observed intrusion chain, victims received phishing emails, including messages sent from ukr[.]net-hosted addresses, that linked to a ZIP archive containing a Ukrainian-language lure related to border-crossing permits or appeals. The archive launched an HTA-based infection chain that ultimately delivered the .NET-based BadPaw loader, which established command-and-control communications and then deployed MeowMeow.

MeowMeow is described as a sophisticated backdoor used for cyberespionage. Reported capabilities include access to infected systems, remote execution of PowerShell commands, file enumeration, checking whether specific files exist, and reading, writing, and deleting local files or data. The malware includes anti-analysis and environmental-awareness features: it checks for virtual machines and common analysis or monitoring tools including Wireshark, ProcMon/Procmon, Fiddler, and in some reporting Ollydbg, and terminates if it detects a sandbox or researcher environment. MeowMeow’s malicious functionality is also described as parameter-gated in the infection chain, activating only when executed with a specific parameter.

ClearSky reported that both BadPaw and MeowMeow were obfuscated with the .NET Reactor packer/obfuscator to hinder static analysis and reverse engineering, and that the broader campaign used stealth features such as sandbox evasion and staged delivery. The activity was attributed with high confidence to a Russia-linked or Russian state-aligned cyberespionage actor, and with lower or moderate confidence specifically to APT28 (Fancy Bear, Forest Blizzard, Blue Delta), based on Ukrainian targeting, geopolitical lures, Russian-language code artifacts, and tradecraft overlap with prior Russian operations. The reporting did not identify specific victim organizations or confirm attack success.