The Russian-language threat cluster, also tracked as GOFFEE, was active in the March-April 2026 window with a toolset that shows a clear shift from conventional phishing toward layered intrusion chains. The latest campaign begins with emails carrying PDF attachments that appear to contain official requests or routine business documents. Inside the PDF is a link to a ZIP archive named to resemble an Adobe Reader update. Once opened, the archive delivers an Inno Setup installer posing as an Adobe Acrobat plug-in while quietly launching EchoGather in the background.
EchoGather gives the attackers the ability to collect system details, including local IP address, computer name, username, process ID and the path of the running file. It can also upload and download files from command-and-control infrastructure and execute commands through the Windows command interpreter. The malware has been seen using HTTPS communication and anti-virtualisation checks, pointing to an effort to avoid automated analysis environments used by defenders.
The campaign is significant because Paper Werewolf’s operations are no longer limited to basic credential theft or opportunistic phishing. Its latest toolkit includes PaperGrabber, a custom stealer designed to harvest files from local, network and removable drives, extract Telegram session data and obtain credentials stored in web browsers. The malware’s configuration shows interest in documents, spreadsheets, presentations, images, VPN profiles, SSH keys, remote desktop files and cryptographic private keys, indicating a focus on long-term access and intelligence value rather than quick disruption.
PaperGrabber also uses file-size limits, extension filters and MD5-based deduplication to reduce noise during exfiltration. That design allows attackers to collect high-value material more efficiently while limiting the volume of repeated or irrelevant files leaving the network. Telegram bot-based logging has also been observed, giving operators a way to track stealing activity as it unfolds.
The group’s targets fit a pattern established over the past four years. Since 2022, Paper Werewolf has been linked to campaigns against government, energy, finance, media, telecommunications, construction, defence-linked technology and industrial organisations in Russia. Its activity has often used emails impersonating trusted bodies, regulators, research institutes or business partners. Attachments have included malicious Microsoft Word files, RAR archives, PDF lures and executables disguised as office documents.
Its technical development has accelerated. Earlier campaigns used PowerShell-based implants and modified legitimate Windows components. Later operations incorporated malicious archives exploiting WinRAR vulnerabilities, including CVE-2025-6218 and CVE-2025-8088, to place payloads outside intended extraction directories and gain persistence. The move to fake Adobe installers and modular downloaders shows that the group continues to vary delivery methods to avoid security controls.
A notable feature of the 2026 activity is the use of multiple loader types written in C++, C#, Python and JavaScript. One chain uses a legitimate Node. js interpreter renamed to look like a Yandex executable, helping malicious JavaScript blend into normal-looking software activity. Another uses MSBuild to load. NET assemblies directly into memory, reducing reliance on files that can be scanned after download.
Paper Werewolf has also developed implants for the Mythic post-exploitation framework. These implants support command execution, file transfer, directory listing, process enumeration, registry operations, screenshot capture, shellcode injection, SOCKS proxying and network resource access. Such functions make the toolkit suitable for reconnaissance, lateral movement and sustained monitoring of compromised environments.
Security specialists have noted signs that some loader code may have been produced with assistance from generative AI tools. That does not necessarily make the attacks more advanced by itself, but it can speed up development, help generate variants and complicate detection when defenders rely on known code patterns.
Attribution remains cautious. Paper Werewolf is widely described as a Russian-language cluster focused mainly on Russian targets, and several analyses have suggested possible pro-Ukrainian alignment or overlap with other regional threat activity. No public evidence has conclusively tied the group to a state agency. Its targeting, however, aligns with intelligence collection priorities around industrial capacity, defence supply chains, finance, transport and communications.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
