Lesson 1.1: Multi-Stage 'BadPaw' Malware Campaign Deep Dive

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Multi-Stage 'BadPaw' Malware Campaign Deep Dive! Over the next 45 minutes, we will explore how a sophisticated, multi-stage malware attack operates, using a real-world campaign targeting defence organisations as our case study.

But first, let me tell you about Mykhailo Kovalenko.

It's just after 9 AM on a Tuesday in March. Mykhailo, a logistics coordinator at a defence contractor in Kyiv, is settling in with his morning coffee. The office hums with the quiet urgency of wartime support. He opens his email, the familiar blue glow of his screen reflecting in his glasses. The air smells of stale coffee and printer toner.

An email from a trusted partner organisation catches his eye. The subject line references a delayed shipment of non-critical components, a common issue. The tone is professional, slightly apologetic. An attached Excel file, 'Revised_Delivery_Schedule.xls', seems perfectly normal. Mykhailo clicks it, expecting to update a spreadsheet.

A security warning flashes briefly, then disappears. The spreadsheet opens, but the data looks garbled, a mess of symbols. He assumes a file corruption, closes it, and goes back to his email. He doesn't notice the background process that just started, or the new, hidden network connection his computer is attempting to make.

This is the story of the BadPaw malware. By the end of this lesson, you'll understand exactly why Mykhailo never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is a Multi-Stage Malware Campaign?

Think of a multi-stage malware attack like a special forces operation. It's not a single explosive event; it's a sequence of calculated, stealthy moves. Each stage has a specific job, and the success of the whole mission depends on each piece working quietly and in order.

The Campaign Lifecycle

A campaign like BadPaw doesn't begin with the malware itself. It starts with intelligence gathering. Attackers research their target—in this case, Ukrainian defence logistics—to understand who to impersonate and what lures will work.

The first technical stage is the initial compromise, often via a phishing email with a malicious document. This document doesn't contain the final payload. Instead, it contains a 'dropper'—a small, simple piece of code whose only job is to quietly fetch the next stage from an attacker-controlled server.

This separation is what makes it so dangerous. The initial email and document can be very simple, helping it evade basic email filters. The complex, malicious logic is pulled down later, often from a server that wasn't known to be malicious when the email was sent.

The Business Model of Targeted Attacks

While ransomware gangs operate for quick financial gain, campaigns like BadPaw have a different model. The goal is persistent access and intelligence collection. The 'customer' is often a state or state-aligned group seeking strategic advantage.

The investment is significant. Research suggests developing such custom malware and running a targeted campaign requires substantial resources. The payoff isn't measured in Bitcoin, but in stolen blueprints, intercepted communications, or disrupted supply chains.

DORA Article 5-17 DORA's ICT risk management requirements force financial entities to look beyond simple virus scanning. They must have processes to understand sophisticated, multi-vector threats like BadPaw that target specific business functions like logistics.

ISO A.12.2 ISO 27001 A.12.2 on protection from malware isn't just about antivirus software. It mandates policies and controls to defend against all types of malicious code, which includes understanding and planning for multi-stage delivery mechanisms.

Content Section 2: The Technical Architecture of BadPaw

Understanding this architecture reveals why it's so effective. Let me show you exactly how Mykhailo's computer was compromised, step by step.

The Attack Flow

Step 1: The Lure. Mykhailo receives a tailored phishing email. It references real logistics issues, uses known contact names, and has a convincing sender address (often spoofed or from a compromised account).

Step 2: The Dropper. The attached Excel file uses old, but enabled, macros. When Mykhailo enables content, the macro runs. It doesn't do anything obviously bad. Instead, it executes a PowerShell command, hidden within the spreadsheet's cells, that reaches out to a remote server.

Step 3: The Download. The PowerShell script downloads the next stage, often a common, legitimate system administration tool like PsExec or a disguised script. Using these 'living-off-the-land' binaries (LOLBins) helps the activity blend in with normal system noise.

Step 4: Persistence and Execution. This downloaded tool is then used to install the final payload—a remote access trojan (RAT) or information stealer—and set it up to run every time the computer starts. The connection is now established.

Key Technical Components

Macro-Enabled Documents: These are the favoured initial entry point. They rely on a user's action, bypassing technical controls that might block executable files.

PowerShell: A powerful administrative tool built into Windows. Attackers use it because it's already there, trusted, and can perform almost any system task. Its commands can be obfuscated and triggered from documents.

Living-off-the-Land Binaries (LOLBins): Tools like PsExec, BITSAdmin, or WMI are used for lateral movement and payload installation. Security software is less likely to flag these Microsoft-signed tools.

Why Traditional Defences Fail

Notice what all of these methods have in common. They rely on static, known-bad indicators. BadPaw uses legitimate tools, dynamic infrastructure, and social engineering to avoid those indicators until it's too late.

BadPaw is designed to slip past common security measures. Here's how:

NIST DE.CM-1 NIST CSF DE.CM-1 requires network monitoring to detect events. Defending against BadPaw means monitoring for the *behaviour* of these stages—like PowerShell making unexpected web requests—not just blocking known-bad files.

NIS2 Article 21 NIS2 Article 21 mandates risk management measures. For a threat like BadPaw, this means moving beyond basic antivirus to proactive threat hunting, monitoring for LOLBin misuse, and managing macro security policies.

Content Section 3: Detection Mechanisms

Mykhailo's computer knew something was wrong. It just couldn't tell him. The system generated logs and exhibited subtle anomalies that, if monitored, could have raised the alarm.

Network-Level Indicators

Look for sequences, not just single events. A single HTTP request might be normal. But a sequence of: 1) User opens Office doc, 2) Immediate spawning of PowerShell or cmd.exe from the Office process, 3) That command shell makes an HTTP/HTTPS request to a new domain, is a major red flag.

Monitor for the use of non-standard ports for common protocols, or for encrypted traffic (like HTTPS) to domains with low reputation scores or recent registration dates. The command and control (C2) traffic for malware like this often tries to hide in plain sight.

DNS monitoring is critical. Sudden spikes in queries for new, algorithmically-generated domain names (DGAs) or lookups for domains associated with free hosting services can indicate malware calling home.

Endpoint-Level Indicators

Process lineage is your best clue. Security tools should track parent-child process relationships. Seeing 'winword.exe' or 'excel.exe' as the parent of 'powershell.exe' or 'cmd.exe' is highly suspicious and rarely part of legitimate user activity.

Look for fileless techniques. Malware may run entirely in memory using PowerShell or Windows Script Host (wscript/cscript). Check for large, obfuscated PowerShell command lines or scripts being executed from unusual locations like the Temp folder.

Monitor for persistence mechanisms being created shortly after such suspicious process chains—new scheduled tasks, registry Run keys, or service installations.

Identity Provider Signals

While the initial compromise is via malware, the next goal is often stealing credentials. Watch for impossible travel scenarios—a user's account appearing to log in from Kyiv and a foreign country within minutes.

Look for anomalous application access. A logistics coordinator's account suddenly attempting to access SharePoint sites for engineering or senior leadership would be unusual.

Monitor for multi-factor authentication (MFA) fatigue attacks following a malware infection, where the attacker, having stolen a password, triggers countless MFA push notifications hoping the user will accidentally approve one.

SOC2 CC7.1 SOC 2 CC7.1 requires detection procedures for new vulnerabilities and configuration changes. Detecting BadPaw means having monitoring that catches the introduction of malicious configurations (like new persistence entries) and the suspicious behaviours (like LOLBin misuse) that indicate an active compromise.

GDPR Article 32 GDPR Article 32 requires appropriate security for personal data. A malware infection that leads to credential theft and data exfiltration is a direct breach of this. Detection mechanisms for multi-stage malware are a key technical control to ensure data security.

Content Section 4: Compliance Documentation

Compliance documentation is often seen as a checkbox exercise. But in the context of BadPaw, it's the written proof that you've thought about these threats before they arrive. It's the playbook your team should follow.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that your staff have been trained on advanced, multi-stage malware threats relevant to the financial sector's operational resilience.

For ISO A.12.2 auditors... For ISO 27001 assessors, you can evidence that your organisation understands the specific control A.12.2 in the context of modern, fileless and multi-stage malware, not just traditional viruses.

For NIST DE.CM-1 auditors... For NIST CSF reviewers, you can show that your detection planning includes behavioural monitoring (process lineage, network sequences) required to identify threats like BadPaw, fulfilling the DE.CM-1 function.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Mykhailo's story ended.

The malware persisted for weeks. It stole his corporate credentials, which were used to access shared drives and internal systems. Sensitive logistics schedules and shipment manifests were exfiltrated. Mykhailo was not fired—it was recognised as a systemic security failure—but the stress and sense of violation lingered.

His organisation eventually brought in an incident response team. They found the malware, cleaned it, and implemented stricter macro policies, application allowlisting, and deployed an endpoint detection and response (EDR) system focused on behavioural monitoring. The changes came after the damage was done.

But it doesn't have to be your story. That's why we're here.

You should now understand how multi-stage malware campaigns operate in distinct phases to evade detection. You understand why traditional signature-based defences are insufficient against them. You know the key behavioural indicators to monitor for on networks and endpoints. And you understand how these threats map to core compliance requirements across major frameworks.

Next, we'll explore Next, we'll explore Lesson 1.2: Analysing Malware Command and Control Traffic. We'll look at how to identify and disrupt the hidden communications channels that malware uses after it infects a system.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators (suspicious process chains, network call sequences, LOLBin misuse) and immediate isolation steps for a suspected BadPaw-style multi-stage malware infection on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls for macro security, PowerShell restriction, and behavioural monitoring to the specific DORA, ISO 27001, NIST CSF, NIS2, SOC 2, and GDPR requirements relevant to the BadPaw attack vectors.
• Risk Assessment Template - Assess your organisation's specific exposure to multi-stage malware threats based on the use of macro-enabled documents, administrative scripting tools, and the maturity of your behavioural detection capabilities.
• Further reading - Links to official framework documentation (NIST, ISO) and threat intelligence sources reporting on recent multi-stage malware campaigns targeting critical sectors.

Multi-Stage "BadPaw" Malware Campaign Targets Ukraine Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026