Paper Werewolf

GOFFEE, also tracked as Paper Werewolf, is an APT cluster first observed in early 2022 that, according to the provided reporting, has exclusively targeted organizations in the Russian Federation. Reported victim sectors include media, telecommunications, construction, government, and energy, and multiple sources describe the group targeting Russian organizations and government entities. The content also states that GOFFEE/Paper Werewolf exploited WinRAR vulnerabilities CVE-2025-6218 and CVE-2025-8088 in 2025. The group’s primary initial access method is targeted phishing with malicious attachments. Reported delivery chains include RAR archives containing disguised executables or macro-enabled Office documents, malicious XLL add-ins, and Telegram-based lures. In 2024 campaigns, GOFFEE used malicious Word VBA documents that created HTA and PowerShell files, set the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD registry value for persistence, and launched JavaScript and PowerShell loaders. The content also notes GOFFEE previously used a modified Owowa IIS module from May 2022 through summer 2023, and later distributed modified malicious versions of explorer.exe through phishing. Malware and tooling directly associated with GOFFEE/Paper Werewolf in the content include PowerModul, PowerTaskel, FlashFileGrabber, USB Worm, EchoGather, PaperGrabber, a custom Mythic agent, and a Linux rootkit named Sauropsida. PowerModul is described as a PowerShell implant first observed in early 2024 that retrieves and executes additional PowerShell payloads from C2 and delivered payloads including PowerTaskel, FlashFileGrabber, and USB Worm. PowerTaskel is described as a non-public Mythic agent written in PowerShell that GOFFEE has used since early 2023 and that can execute arbitrary PowerShell commands and load a binary Mythic agent for lateral movement. The reporting further states GOFFEE increasingly shifted from PowerTaskel to a binary Mythic agent and likely developed its own Mythic agent implementations in PowerShell and C. FlashFileGrabber and USB Worm indicate a focus on removable-media theft and propagation. FlashFileGrabber searched removable media for targeted file types and copied them to staging directories, while USB Worm infected removable media by hiding original files and placing launchers and deceptive shortcuts. Separate reporting on PaperGrabber describes collection of files from local, network, and removable drives; theft of Telegram Desktop session data; extraction of browser credentials from Yandex Browser, Chrome, Opera, Edge, and Chromium using DPAPI; monitoring of newly attached removable drives; and exfiltration of archived data in chunks. GOFFEE/Paper Werewolf also ran Telegram- and Starlink-themed campaigns. The group used a dedicated Telegram channel to distribute the EchoGather RAT disguised as a Starlink restriction-bypass or exception-list application for users in Russia, and also distributed phishing links to steal Telegram accounts. Related phishing infrastructure included re-link[.]space, mystarlink[.]org, and web-tellegram[.]org/ru. In drone-themed operations, the group used battleflight[.]org and battleflight[.]pro to distribute EchoGather disguised as a BattleFlight UAV training simulator installer. Reporting links infrastructure such as battleflight[.]pro to GOFFEE and notes thematic and partial infrastructure overlap with HeartlessSoul. EchoGather is described as a backdoor/RAT used by GOFFEE/Paper Werewolf in multiple campaigns. Reported capabilities include anti-VM checks, host reconnaissance, HTTPS POST communications with hardcoded C2 infrastructure, command execution, file upload, and file download or remote file write depending on the variant. One late-2025 campaign used a malicious Excel XLL add-in to drop EchoGather, and infrastructure pivots linked that activity to Paper Werewolf/GOFFEE. Operationally, the group has used PsExec for privilege escalation, WinRM for lateral movement, mshta.exe, HTA polyglot payloads, obfuscated JavaScript and PowerShell chains, and the Windows LOAD registry value for persistence. The content also states GOFFEE used WinRM with the User-Agent string "Ruby WinRM Client." Multiple reports explicitly associate GOFFEE/Paper Werewolf with Mythic framework usage. Aliases directly supported by the content are GOFFEE and Paper Werewolf.