PowerModul
PowerModul is a PowerShell implant/loader used by the GOFFEE APT group in campaigns against organizations in Russia. The first observed uses were in early 2024, and it was documented in attacks during July-December 2024 targeting media, telecommunications, construction, government, and energy organizations. GOFFEE reportedly used targeted phishing emails with malicious RAR archives as the primary initial access vector. Observed delivery chains included RAR archives containing macro-enabled Microsoft Office documents; when macros were enabled, the document created an HTA file and a PowerShell file, set HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD for persistence, and launched JavaScript that executed the PowerModul PowerShell implant stored as UserCache.ini. One reported PowerModul sample, UserCache.ini, had MD5 60A53D2C653991F086C4E6663D652CF2 and SHA256 BE1D0FAF1C253FAACBA1059971B01D1D646256D7B2E557DA55ED059542AFDBCD.
PowerModul retrieves additional PowerShell payloads from a command-and-control server and executes them. It appends a victim identifier containing the computer name, username, and disk serial number to the C2 URL, and receives XML responses containing Base64-encoded scripts. Researchers identified a distinct protocol, payload types, and C2 infrastructure compared with PowerTaskel, and therefore classified PowerModul as a separate malware family. The implant includes an OfflineWorker() function that decodes and executes embedded Base64 content; this functionality was observed carrying code for the FlashFileGrabber data theft tool.
Observed payloads delivered by PowerModul included PowerTaskel, FlashFileGrabber, and USB Worm. FlashFileGrabber searched removable media for files with targeted extensions and copied them to %TEMP%\CacheStore\connect<VolumeSerialNumber>, storing metadata in ftree.db and MD5 hashes of that metadata in %AppData%\internal_profiles.db. USB Worm infected removable media by hiding original files, copying PowerModul as UserCache.ini, and creating hidden VBS and BAT launchers plus deceptive shortcuts. PowerModul is associated with GOFFEE's broader post-exploitation activity, which also included use of Mythic agents, PsExec, mshta.exe, and WinRM for privilege escalation and lateral movement.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Во второй половине 2024 года APT-группа GOFFEE продолжала атаковать организации в России, используя PowerTaskel — непубличный агент для Mythic на PowerShell, а также новый имплант, который мы назвали PowerModul.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesUSB Worm способен заражать съемные носители копией PowerModul
группа GOFFEE ... атаковала ... используя целевые фишинговые письма с вредоносными вложениями
Execution
4 techniquesPowerModul — это скрипт PowerShell, который может получать с командного сервера дополнительные PowerShell-скрипты и выполнять их
червь создает скрытые VBS- и BAT-файлы для запуска PowerModul и открытия документа-приманки | архив RAR содержит документ Microsoft Office с макросом, который выполняет роль дроппера
HTA-файл ... записать на диск файл JavaScript с именем UserCacheHelper.lnk.js, а затем запускает этот JS-файл
Нажатие на кнопку «Включить содержимое» активирует макрос
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniquesкод PowerModul встроен ... в виде строки, закодированной по алгоритму Base64 ... Ответ от командного сервера приходит ... содержит скрипты, закодированные по алгоритму Base64
RAR-архив с исполняемым файлом, замаскированным под документ. В некоторых случаях имя файла включает двойное расширение, например .pdf.exe или .doc.exe.
червь дает файлам на съемном носителе случайные имена ... и скрывает их
Lateral Movement
1 techniqueCommand and Control
1 techniquePowerModul ... может получать с командного сервера дополнительные PowerShell-скрипты и выполнять их
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Implant used in targeted attacks against Russian entities across multiple sectors (July-Dec 2024).
Implant referenced in the GOFFEE campaign (H2 2024) alongside a shift to a binary Mythic agent; specific capabilities are not detailed in the provided content.
PowerShell-имплант, способный получать с командного сервера дополнительные PowerShell-скрипты и выполнять их. Использовался как загрузчик для PowerTaskel, FlashFileGrabber и USB Worm; имеет функцию OfflineWorker для выполнения встроенной полезной нагрузки.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.