Just in:
Construction Management Awards 2026 – Now open for nomination Introduction of the Inaugural “Excellent Construction Safety Culture Award” Guides the Construction Industry Toward a New Milestone in Safety // Dubai advances Gold Line contractor race // France and Oman press toll-free Hormuz passage // Abu Dhabi starts new Saadiyat arts landmark // ClawHub breach exposes agent marketplace risk // Bid To Rebuild Bengal To Its Old Glory Is Welcome, Though Difficult // This summer will never stop us from our wellness routine // Where Minds Meet to Launch Space Economy Association Off the Ground // China’s digital hub Hangzhou hosts conference on AI, OPC // Afogreen Build Highlights Growing Adoption of Building Performance Modelling in Australia’s Sustainability-Driven Construction Sector // Binzhou’s Leap from Manufacturing to Intelligent Manufacturing // PlayStation sales hit May low // World’s First Commercial Multimodal LLM for Cultural Tourism Enters Broad Application // CG Capital, the Leader in Branded Residences in Thailand, Marks Milestone Success for InterContinental Residences Bangkok Asoke Amid Global Economic Uncertainty // Masdar starts Kazakh wind power push // Anthropic reopens Mythos 5 for cyber defenders // 5 Law Firms Making a Difference in Cincinnati // Tehran blocks French role in Hormuz clearance // Save the Children Hong Kong’s Play to Thrive: Prioritising Personal Growth Over Competitive Success // Alibaba Cloud gains edge in agentic AI race //

Paper Werewolf sharpens Russian cyber campaign

Paper Werewolf has expanded its campaign against Russian industrial, financial and transport organisations, using phishing emails, fake Adobe software updates and the EchoGather remote access trojan to deepen access inside targeted networks.

The Russian-language threat cluster, also tracked as GOFFEE, was active in the March-April 2026 window with a toolset that shows a clear shift from conventional phishing toward layered intrusion chains. The latest campaign begins with emails carrying PDF attachments that appear to contain official requests or routine business documents. Inside the PDF is a link to a ZIP archive named to resemble an Adobe Reader update. Once opened, the archive delivers an Inno Setup installer posing as an Adobe Acrobat plug-in while quietly launching EchoGather in the background.

EchoGather gives the attackers the ability to collect system details, including local IP address, computer name, username, process ID and the path of the running file. It can also upload and download files from command-and-control infrastructure and execute commands through the Windows command interpreter. The malware has been seen using HTTPS communication and anti-virtualisation checks, pointing to an effort to avoid automated analysis environments used by defenders.

ADVERTISEMENT

The campaign is significant because Paper Werewolf’s operations are no longer limited to basic credential theft or opportunistic phishing. Its latest toolkit includes PaperGrabber, a custom stealer designed to harvest files from local, network and removable drives, extract Telegram session data and obtain credentials stored in web browsers. The malware’s configuration shows interest in documents, spreadsheets, presentations, images, VPN profiles, SSH keys, remote desktop files and cryptographic private keys, indicating a focus on long-term access and intelligence value rather than quick disruption.

PaperGrabber also uses file-size limits, extension filters and MD5-based deduplication to reduce noise during exfiltration. That design allows attackers to collect high-value material more efficiently while limiting the volume of repeated or irrelevant files leaving the network. Telegram bot-based logging has also been observed, giving operators a way to track stealing activity as it unfolds.

The group’s targets fit a pattern established over the past four years. Since 2022, Paper Werewolf has been linked to campaigns against government, energy, finance, media, telecommunications, construction, defence-linked technology and industrial organisations in Russia. Its activity has often used emails impersonating trusted bodies, regulators, research institutes or business partners. Attachments have included malicious Microsoft Word files, RAR archives, PDF lures and executables disguised as office documents.

Its technical development has accelerated. Earlier campaigns used PowerShell-based implants and modified legitimate Windows components. Later operations incorporated malicious archives exploiting WinRAR vulnerabilities, including CVE-2025-6218 and CVE-2025-8088, to place payloads outside intended extraction directories and gain persistence. The move to fake Adobe installers and modular downloaders shows that the group continues to vary delivery methods to avoid security controls.

A notable feature of the 2026 activity is the use of multiple loader types written in C++, C#, Python and JavaScript. One chain uses a legitimate Node. js interpreter renamed to look like a Yandex executable, helping malicious JavaScript blend into normal-looking software activity. Another uses MSBuild to load. NET assemblies directly into memory, reducing reliance on files that can be scanned after download.

Paper Werewolf has also developed implants for the Mythic post-exploitation framework. These implants support command execution, file transfer, directory listing, process enumeration, registry operations, screenshot capture, shellcode injection, SOCKS proxying and network resource access. Such functions make the toolkit suitable for reconnaissance, lateral movement and sustained monitoring of compromised environments.

Security specialists have noted signs that some loader code may have been produced with assistance from generative AI tools. That does not necessarily make the attacks more advanced by itself, but it can speed up development, help generate variants and complicate detection when defenders rely on known code patterns.

Attribution remains cautious. Paper Werewolf is widely described as a Russian-language cluster focused mainly on Russian targets, and several analyses have suggested possible pro-Ukrainian alignment or overlap with other regional threat activity. No public evidence has conclusively tied the group to a state agency. Its targeting, however, aligns with intelligence collection priorities around industrial capacity, defence supply chains, finance, transport and communications.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Save the Children Hong Kong’s Play to Thrive: Prioritising Personal Growth Over Competitive Success // Cheap RAT spreads through Telegram channels // Tehran blocks French role in Hormuz clearance // Abu Dhabi starts new Saadiyat arts landmark // Construction Management Awards 2026 – Now open for nomination Introduction of the Inaugural “Excellent Construction Safety Culture Award” Guides the Construction Industry Toward a New Milestone in Safety // Dubai advances Gold Line contractor race // 5 Law Firms Making a Difference in Cincinnati // CG Capital, the Leader in Branded Residences in Thailand, Marks Milestone Success for InterContinental Residences Bangkok Asoke Amid Global Economic Uncertainty // Oil gains as Gulf truce faces strain // Where Minds Meet to Launch Space Economy Association Off the Ground // France and Oman press toll-free Hormuz passage // Ras Tanura crash kills Aramco personnel // Alibaba Cloud gains edge in agentic AI race // Bracell Welcomes Fernando Branco’s Appointment to Lead ABAF and Reinforces Commitment to Sustainable Forestry Development in Bahia // This summer will never stop us from our wellness routine // Masdar starts Kazakh wind power push // OpenAI limits Sol launch amid cyber risks // World’s First Commercial Multimodal LLM for Cultural Tourism Enters Broad Application // PRHK 2026 Benchmark Report highlights how Hong Kong’s IPO revival, AI, and the GBA are reshaping the SAR’s PR industry // PlayStation sales hit May low //