Executive Summary

On March 6, 2026, the cybersecurity community observed the emergence of two separate, yet significant, threats. The first is a targeted campaign, believed to be Russian-led, against organizations in Ukraine. This campaign utilizes two new malware families, dubbed BadPaw and MeowMeow, delivered via a phishing email with a decoy document. The malware's goal is to establish a persistent backdoor for remote control. The second threat is the appearance of Starkiller, a sophisticated new phishing tool designed to systematically bypass multi-factor authentication (MFA). Starkiller employs advanced adversary-in-the-middle (AiTM) techniques to steal session tokens, allowing attackers to hijack authenticated sessions and gain full access to protected accounts. While the two threats are not directly linked, they represent the continuous evolution of both nation-state attack tools and the broader cybercrime-as-a-service market.

Threat 1: BadPaw and MeowMeow Campaign

Threat Overview

• Threat Actor: Unspecified Russian-led group.
• Target: Ukrainian organizations.
• Malware: BadPaw, MeowMeow.
• Vector: Phishing email with a ZIP archive containing a malicious lure.

This campaign is a classic example of targeted espionage. The use of a decoy document relevant to the target (a Ukrainian border crossing document) increases the likelihood of success. The malware itself employs anti-analysis techniques to evade detection in automated sandbox environments, indicating a degree of sophistication.

Technical Analysis

1. Initial Access (T1566.001 - Spearphishing Attachment): The attack starts with a phishing email containing a ZIP archive.
2. Execution (T1204.002 - Malicious File): The user is tricked into opening the file within the archive, which executes the initial malware loader while displaying a benign decoy document.
3. Defense Evasion (T1497.003 - Time Based Evasion): The malware checks the system's age, a common technique to determine if it is running in a newly created sandbox environment. If the environment is too new, the malware may terminate.
4. Command and Control (T1105 - Ingress Tool Transfer): If the environment checks pass, the malware downloads additional payloads (BadPaw and MeowMeow backdoors) from a C2 server.
5. Persistence: The backdoors establish persistence on the device, allowing the attacker to maintain remote access for data exfiltration and further actions.

Impact Assessment

The immediate goal is to establish a foothold within Ukrainian organizations for espionage, data theft, or potential future disruptive operations. The compromise of government or critical infrastructure networks could provide valuable intelligence to the Russian state.

Threat 2: Starkiller Phishing Tool

Threat Overview

• Tool: Starkiller
• Type: Phishing-as-a-Service (PhaaS) / Adversary-in-the-Middle (AiTM) toolkit.
• Capability: Bypasses MFA by stealing session tokens.

Starkiller represents the ongoing commoditization of advanced attack tools. Like the recently disrupted Tycoon 2FA platform, Starkiller allows low-skilled attackers to defeat MFA, which is a cornerstone of modern security. It does this by acting as a proxy between the victim and the real login page.

Technical Analysis

Starkiller's methodology is a textbook AiTM attack:

1. The victim is lured to a phishing page controlled by Starkiller.
2. The Starkiller server presents a pixel-perfect copy of the real login page (e.g., for Microsoft 365).
3. The victim enters their username, password, and MFA code.
4. All this information is proxied through the attacker's server to the real service, and the attacker harvests the credentials and MFA code in real-time.
5. Crucially, upon successful login, the session token issued by the service is also intercepted by the attacker (T1539 - Steal Web Session Cookie).
6. The attacker can now use this token to access the victim's account without needing the credentials or MFA again, until the session expires.

Starkiller reportedly uses headless browsers to automate parts of this process, making it highly efficient and scalable.

Impact Assessment

The proliferation of tools like Starkiller democratizes advanced cybercrime. It means that any organization, regardless of size, can be targeted with attacks that bypass MFA. This dramatically increases the risk of Business Email Compromise (BEC), data breaches, and subsequent ransomware attacks, as account takeovers become easier to achieve.

Detection and Mitigation (Combined)

• Detection: Detecting these threats requires a layered approach. For the Ukrainian campaign, EDR solutions should be tuned to detect suspicious process chains and anti-analysis techniques. For Starkiller, detection relies on identifying the AiTM infrastructure, which involves URL analysis and monitoring for anomalous login behavior (e.g., impossible travel alerts). D3FEND's User Geolocation Logon Pattern Analysis is key.
• Mitigation:
  1. Phishing-Resistant MFA: The most effective defense against tools like Starkiller is to move to FIDO2/WebAuthn-based MFA, which is not vulnerable to AiTM attacks.
  2. Email Security: Advanced email security gateways can help block the initial phishing emails for both types of threats.
  3. User Training: Users should be trained to be wary of unexpected attachments and login prompts.
  4. Endpoint Protection: A modern EDR is essential for detecting and blocking the execution of malware like BadPaw and MeowMeow.