Paper Werewolf

GOFFEE, also tracked as Paper Werewolf, is a threat actor first observed in early 2022. Reporting in the provided content states that it has targeted organizations exclusively in the Russian Federation, including entities in the media, telecommunications, construction, government, and energy sectors. The group primarily uses targeted spear-phishing emails with malicious attachments for initial access. Known aliases in the content are GOFFEE and Paper Werewolf. From May 2022 through summer 2023, GOFFEE used a modified Owowa malicious IIS module. Beginning in 2024, it used patched malicious copies of Windows binaries such as explorer.exe and xpsrchvw.exe, as well as malicious Office documents with VBA macros. Those macro chains created HTA and PowerShell files, persisted via the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD registry value, and launched additional payloads. The group used the PowerShell implant PowerModul and the non-public Mythic agent PowerTaskel in attacks during 2024. PowerModul retrieved and executed additional PowerShell payloads from C2 and delivered components including PowerTaskel, FlashFileGrabber, and USB Worm. FlashFileGrabber was used to steal files from removable media, and USB Worm propagated via removable drives. The content also states GOFFEE increasingly shifted from the PowerShell-based PowerTaskel to a custom binary Mythic agent for lateral movement and remote execution. Observed lateral movement and execution techniques included renamed PsExec, mshta.exe, WinRM, HTA/JScript chains, shellcode loaders, and remote execution via wmiprvse.exe or wsmprovhost.exe launching mshta.exe. The content also notes use of the User-Agent string "Ruby WinRM Client" in WinRM activity. Separate reporting in the content links Paper Werewolf/GOFFEE to Telegram- and website-based malware distribution themed around Starlink and UAV/drone training. In those campaigns, the actor used a dedicated Telegram channel and the domains battleflight[.]org and battleflight[.]pro to distribute the EchoGather RAT disguised as Starlink-related software or the BattleFlight drone pilot training simulator. The same Telegram channel was also used to distribute phishing links through intermediary domains such as re-link[.]space and mystarlink[.]org to fake Telegram pages for credential theft. The content further links Paper Werewolf infrastructure to a Node.js-based JavaScript downloader chain that persisted via the same Windows LOAD registry value and repeatedly fetched shellcode from zeccecard[.]com, as well as to ZIP/RAR files containing Python and C++ loaders for a custom Mythic implant. The actor is also described in the content as exploiting WinRAR vulnerabilities CVE-2025-6218 and CVE-2025-8088. Multiple excerpts state that Paper Werewolf/GOFFEE leveraged these vulnerabilities in 2025, including against government organizations. Additional reporting in the content says Paper Werewolf targeted Russian organizations with a Linux rootkit named Sauropsida, and that it deployed the EchoGather RAT and PowerModul implant in targeted attacks. The content also notes overlap or possible links between GOFFEE and other clusters or groups. Researchers found Warp RAT samples in attacked infrastructures and associated them with Goffee. Separate reporting notes thematic and partial infrastructure overlap between GOFFEE/Paper Werewolf and HeartlessSoul, particularly around FPV simulator and Starlink-themed infrastructure. Other Kaspersky reporting cited in the content found traces of Goffee in victim networks alongside 4BID, Hacker kiт, and C.A.S., but only indicates possible links or joint operations rather than confirmed subgroup structure.