ClearSky Team has identified a targeted Russian cyber campaign against Ukraine utilizing two novel malware strains, BadPaw and MeowMeow.
The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim. Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor.
To hinder analysis and reverse engineering, both strains are obfuscated using the .NET Reactor packer, signaling a deliberate effort by the threat actors to maintain persistence and evade detection. To ensure persistence and evade discovery, both malware strains incorporate sophisticated defense mechanisms.
The campaign employs strict Parameter Validation; the malicious components remain dormant, running only “dummy” code with a benign GUI, unless executed with specific, predefined parameters. Furthermore, the MeowMeow backdoor features advanced environmental awareness. It actively scans for virtual machines and common analysis tools such as Wireshark, ProcMon, and Fiddler, immediately terminating its execution if a sandbox or researcher environment is detected.
ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor and with low confidence to the specific group APT28 (Fancy Bear). This assessment is based on a three-pronged analysis:
Targeting & Victimology: The focus on Ukrainian entities, combined with the
geopolitical nature of the lure, aligns with Russian strategic objectives. Linguistic Artifacts: The presence of Russian-language strings within the code suggests a development environment native to the region.
Tactical Overlap: The multi-stage infection chain, the use of .NET-based loaders, and the specific obfuscation techniques mirror established tradecraft observed in previous Russian cyber operations.
Brand, website, and corporate mailout impersonation is becoming an increasingly common technique used by cybercriminals. The World Intellectual Property Organization (WIPO) reported a spike in such incidents in 2025. While tech companies and consumer brands are the most frequent targets, every industry in every country is generally at risk. The only thing that changes is how the imposters exploit the fakes In practice, we typically see the following attack scenarios:
Luring clients and customers to a fake website to harvest login credentials for the real online store, or to steal payment details for direct theft.
Luring employees and business partners to a fake corporate login portal to acquire legitimate credentials for infiltrating the corporate network.
Prompting clients and customers to contact the scammers under various pretexts: getting tech support, processing a refund, entering a prize giveaway, or claiming compensation for public events involving the brand. The goal is to then swindle the victims out of as much money as possible.
Luring business partners and employees to specially crafted pages that mimic internal company systems, to get them to approve a payment or redirect a legitimate payment to the scammers.
Prompting clients, business partners, and employees to download malware — most often an infostealer — disguised as corporate software from a fake company website.
The words “luring” and “prompting” here imply a whole toolbox of tactics: email, messages in chat apps, social media posts that look like official ads, lookalike websites promoted through SEO tools, and even paid ads.
These schemes all share two common features. First, the attackers exploit the organization’s brand, and strive to mimic its official website, domain name, and corporate style of emails, ads, and social media posts. And the forgery doesn’t have to be flawless — just convincing enough for at least some of business partners and customers. Second, while the organization and its online resources aren’t targeted directly, the impact on them is still significant.
Business damage from brand impersonation
When fakes are crafted to target employees, an attack can lead to direct financial loss. An employee might be persuaded to transfer company funds, or their credentials could be used to steal confidential information or launch a ransomware attack.
Attacks on customers don’t typically imply direct damage to the company’s coffers, but they cause substantial indirect harm in the following areas:
Strain on customer support. Customers who “bought” a product on a fake site will likely bring their issues to the real customer support team. Convincing them that they never actually placed an order is tough, making each case a major time waster for multiple support agents.
Reputational damage. Defrauded customers often blame the brand for failing to protect them from the scam, and also expect compensation. According to a European survey, around half of affected buyers expect payouts and may stop using the company’s services — often sharing their negative experience on social media. This is especially damaging if the victims include public figures or anyone with a large following.
Unplanned response costs. Depending on the specifics and scale of an attack, an affected company might need digital forensics and incident response (DFIR) services, as well as consultants specializing in consumer law, intellectual property, cybersecurity, and crisis PR.
Increased insurance premiums. Companies that insure businesses against cyber-incidents factor in fallout from brand impersonation. An increased risk profile may be reflected in a higher premium for a business.
Degraded website performance and rising ad costs. If criminals run paid ads using a brand’s name, they siphon traffic away from its official site. Furthermore, if a company pays to advertise its site, the cost per click rises due to the increased competition. This is a particularly acute problem for IT companies selling online services, but it’s also relevant for retail brands.
Long-term metric decline. This includes drops in sales volume, market share, and market capitalization. These are all consequences of lost trust from customers and business partners following major incidents.
Does insurance cover the damage?
Popular cyber-risk insurance policies typically only cover costs directly tied to incidents explicitly defined in the policy — think data loss, business interruption, IT system compromise, and the like. Fake domains and web pages don’t directly damage a company’s IT systems, so they’re usually not covered by standard insurance. Reputational losses and the act of impersonation itself are separate insurance risks, requiring expanded coverage for this scenario specifically.
Of the indirect losses we’ve listed above, standard insurance might cover DFIR expenses and, in some cases, extra customer support costs (if the situation is recognized as an insured event). Voluntary customer reimbursements, lost sales, and reputational damage are almost certainly not covered.
What to do if your company is attacked by clones
If you find out someone is using your brand’s name for fraud, it makes sense to do the following:
Send clear, straightforward notifications to your customers explaining what happened, what measures are being taken, and how to verify the authenticity of official websites, emails, and other communications.
Create a simple “trust center” page listing your official domains, social media accounts, app store links, and support contacts. Make it easy to find and keep it updated.
Monitor new registrations of social media pages and domain names that contain your brand names to spot the clones before an attack kicks off.
Follow a takedown procedure. This involves gathering evidence, filing complaints with domain registrars, hosting providers, and social media administrators, then tracking the status until the fakes are fully removed. For a complete and accurate record of violations, preserve URLs, screenshots, metadata, and the date and time of discovery. Ideally, also examine the source code of fake pages, as it might contain clues pointing to other components of the criminal operation.
Add a simple customer reporting form for suspicious sites or messages to your official website and/or branded app. This helps you learn about problems early.
Coordinate activities between your legal, cybersecurity, and marketing teams. This ensures a consistent, unified, and effective response.
How to defend against brand impersonation attacks
While the open nature of the internet and the specifics of these attacks make preventing them outright impossible, a business can stay on top of new fakes and have the tools ready to fight back.
Continuously monitor for suspicious public activity using specialized monitoring services. The most obvious indicator is the registration of domains similar to your brand name, but there are others — like someone buying databases related to your organization on the dark web. Comprehensive monitoring of all platforms is best outsourced to a specialized service provider, such as Kaspersky Digital Footprint Intelligence (DFI).
The quickest and simplest way to take down a fake website or social media profile is to file a trademark infringement complaint. Make sure your portfolio of registered trademarks is robust enough to file complaints under UDRP procedures before you need it.
When you discover fakes, deploy UDRP procedures promptly to have the fake domains transferred or removed. For social media, follow the platform’s specific infringement procedure — easily found by searching for “[social media name] trademark infringement” (for example, “LinkedIn trademark infringement”). Transferring the domain to the legitimate owner is preferred over deletion, as it prevents scammers from simply re-registering it. Many continuous monitoring services, such as Kaspersky Digital Footprint Intelligence, also offer a rapid takedown service, filing complaints on the protected brand’s behalf.
Act quickly to block fake domains on your corporate systems. This won’t protect partners or customers, but it’ll throw a wrench into attacks targeting your own employees.
Consider proactively registering your company’s website name and common variations (for example, with and without hyphens) in all major top-level domains, such as .com, and local extensions. This helps protect partners and customers from common typos and simple copycat sites.
In early April, ClearSky’s team discovered a persistent Yemeni/Houthi influence campaign operating in Israel and the Gulf states. We first exposed the campaign in 2019. It continues to operate in a similar manner to what was uncovered in 2019. Between 2019 and 2022, the campaign mainly focused on Gulf countries, particularly Saudi Arabia and the UAE, and returned to focus on Israel from late 2024. We did not found any indication that that the campaign targeted Israel between 2019–2022.
The campaign operators have invested for years in building and maintaining an infrastructure that includes fake websites, Facebook pages, and social media profiles. The ongoing maintenance of such a campaign indicates its importance and the resources allocated to sustain it. These resources include, among other things, dedicated personnel, funding, and a certain level of proficiency in Hebrew.
The campaign first exposed in 2019 involved the dissemination of false reports by several social media profiles. These reports focused on gossip-related topics (for example, the death of an Israeli actress and singer). They were published on pages of Israeli media outlets and in several marginal Israeli social media groups, mainly on Facebook. The 2019 campaign was based on methodologies used in Iranian influence campaigns that we had uncovered starting in 2018.
This report focuses on the campaign active in recent months, with an emphasis on the personas created to disseminate content, the websites established as part of the infrastructure, and the campaign’s messaging. The report also addresses differences between the 2019 campaign and the content published in the current one.
A new zero-day vulnerability, CVE-2024-43451, was discovered by ClearSky Cyber Security in June 2024. This vulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities.
The vulnerability activates URL files containing malicious code through seemingly innocuous actions:
A single right-click on the file (all Windows versions).
Deleting the file (Windows 10/11).
Dragging the file to another folder (Windows 10/11 and some Windows 7/8/8.1 configurations).
The malicious URL files were disguised as academic certificates and were initially observed being distributed from a compromised official Ukrainian government website.
Exploitation Process:
The attack begins with a phishing email sent from a compromised Ukrainian government server. The email prompts the recipient to renew their academic certificate. The email contains a malicious URL file. When the user interacts with the URL file by right-clicking, deleting, or moving it, the vulnerability is triggered. This action establishes a connection with the attacker’s server and downloads further malicious files, including SparkRAT malware.
SparkRAT is an open-source remote access trojan that allows the attacker to gain control of the victim’s system. The attackers also employed techniques to maintain persistence on the infected system, ensuring their access even after a reboot.
Attribution:
CERT-UA linked this campaign to the threat actor UAC-0194, suspected to be Russian. ClearSky also noted similarities with previous campaigns by other threat actors, suggesting the use of a common toolkit or technique.
Remediation:
Microsoft released a security patch for this vulnerability on November 12, 2024. Users are strongly advised to update their Windows systems to mitigate the risk posed by CVE-2024-43451.
ClearSky Cyber Security research identified a campaign named “Iranian Dream Job campaign”, in which the Iranian threat actor TA455 targeted the aerospace industry by offering fake jobs.
The campaign distributed the SnailResin malware, which activates the SlugResin backdoor. ClearSky attributes both malware programs to a subgroup of Charming Kitten.
However, some cyber research companies detected the malware files as belonging to the North Korean Kimsuky/Lazarus APT group.
The similar “Dream Job” lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran.
The Iranian “Dream Job” campaign has been active since at least September 2023. Mandiant had previously reported on suspected Iranian espionage activity targeting aerospace, aviation, and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE), as well as Turkey, India, and Albania.
The LinkedIn profiles of the fake recruiters in our report seem to be newer versions of the profiles Mandiant previously reported. For example, ClearSky discovered a profile associated with a fake company called “Careers 2 Find,” which previously worked for “1st Employer,” a fake recruiting website highlighted by Mandiant.
How the Campaign Works
TA455 uses fake recruiting websites and LinkedIn profiles to distribute a ZIP file containing malicious files. The ZIP file, which includes legitimate files, is downloaded from a domain impersonating a job recruiting website. Victims are given a detailed PDF guide on how to “safely” access the website in order to prevent them from making “mistakes” that might “prevent infection”. Once the ZIP file is downloaded, the victim clicks on a highlighted EXE file. The EXE loads the malicious DLL file “secur32[.]dll” via DLL side loading. The malware checks the victim’s IP address and downloads information from a GitHub account that contains the C&C server domain address.
ClearSky Cyber Security and SentinelLabs have discovered a new wave of Russian information warfare campaign named Doppelgänger NG. “Doppelgänger” (meaning spirit double, an exact but usually invisible replica) is a global information warfare campaign publishing false information on hundreds of fake websites and social media channels. Our research revealed that “Doppelgänger NG” is again fully operational in 2024, using new infrastructure. Furthermore, we found a link between the “Doppelgänger NG” Campaign and the Russian cyber espionage group APT28.
Key findings:
New infrastructure used by “Doppelgänger NG”.
We discovered a potential link between APT28 to “Doppelgänger NG” campaign.
The “Doppelgänger NG” campaign has expanded its victims list, including new targets in the US, Germany, Israel, and France.
The “Doppelgänger NG” network contains more than 150 domains, including news feeds relevant to five countries (United State, Israel, France, Germany, Ukraine).
This blog post will elaborate on “Homeland justice” group’s background and provide an in-depth analysis of the tools used in the current attack, including reverse engineering of the NACL executable – dubbed “No-Justice Wiper”
ClearSky Cyber Security has detected a watering hole attack on at least eight Israeli websites. The attack is highly likely to be orchestrated by a nation-state actor from Iran, with a low confidence specific attribution to Tortoiseshell (also called TA456 or Imperial Kitten).
The Infected sites collect preliminary user information through a script. We have discovered several details that suggest this script is used for malicious purposes.
ClearSky discovered a new malware associated with the Iranian SiameseKitten (Lyceum) group with medium-high confidence. The file is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain.
This indicates an attacker-controlled at least two IP’s on the same range. The downloaded file is a reverse shell that impersonates an Adobe update. The reverse shell is dropped by a parent file signed with a fake Microsoft certificate, along with a lure PDF document and an executable designed to establish persistence. There seems to be a shared use of fake Microsoft certificates by a variety of Iranian groups, as Phosphorus was previously observed. Additionally, the lure PDF document relates to drone attacks conducted in Iran, resembling a similar document previously employed by SiameseKitten3.
As part of our monitoring of malicious files in current use, we detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that we associated with the EvilNominatus ransomware, initially exposed at the end of 2021. It seems that the ransomware’s developer is a young Iranian, who bragged about its development on Twitter.
At this point, we have no details regarding any victims of this ransomware. We publish this research due to the malware’s unique method of operation, and the low number of AV engines capable of detecting it.
The original BAT file the research is based on was only detected by two AV engines on VirusTotal. Another BAT file that was discovered later, which shares characteristics with the first one, wasn’t detected by any AV engines. Other files that were either generated by the BAT files or communicated with them to carry out attacks were detected by multiple AV engines. Therefore, we assess that the tool’s general level of risk is low at this point.
At the beginning of May 2021, we detected the first attack by Siamesekitten on an IT company in Israel. Siamesekitten (also named Lyceum/Hexane) is an Iranian APT group active in the Middle east and in Africa that is active in launching supply chain attacks. To this end Siamesekitten established a large infrastructure that enabled them to impersonate the company and their HR personnel. We believe that this infrastructure was built to lure IT experts and penetrate their computers to gain accesses to the company’s clients.
This campaign is similar to the North Korean “Job seekers” campaign, employing what has become a widely used attack vector in recent years – impersonation. Many attack groups are executing this type of campaign, such as the North Korean Lazarus campaign we exposed in the summer of 2020 (Dream Job) and the Iranian OilRig campaign (APT34) that targeted Middle Eastern victims in the first quarter of 2021.
In July 2021, we detected a second wave of similar attacks against additional companies in Israel. In this wave, Siamesekitten upgraded their backdoor malware to a new version called “Shark” and it replaced the old version of their malware called “Milan”. Details of both versions are included in our report.
This report summarizes our findings regarding the latest Siamesekitten attacks and reviews the attack patterns and malware used in this campaign.
Login
