Researchers at Positive Technologies reported the discovery of a previously unknown toolkit used by the Goffee hacker group (aka Paper Werewolf). It was employed in the later stages of attacks and allowed the attackers to remain undetected within victims’ infrastructure for a long time.
Throughout 2024, specialists investigated several incidents that shared similar characteristics. As a result of the analysis, the malicious activity was consolidated into a single cluster and attributed to Goffee, which has been targeting Russian organizations using phishing since 2022.
The report emphasizes that the group’s activities have already had tangible consequences: there have been recorded instances of business processes being halted at unnamed victim companies. It is also noted that there is very little information about Goffee in open sources, as the hackers strive to remain unnoticed, and geographically their attacks are primarily aimed at Russia.
Researchers report that during the later stages of the attacks, several new tools were used for remote control and to conceal their presence: the sauropsida rootkit, the DQuic and BindSycler traffic tunneling tools, and the MiRat backdoor.
At the same time, the group also employed older tools such as owowa, a malicious module used to harvest user credentials, and PowerTaskel — a non-public agent for the Mythic framework.
To hinder analysis, they use the Ebowla packer, the garbler obfuscator for Golang, as well as a proprietary algorithm for encrypting traffic and malicious files. Goffee also actively uses tools for traffic tunneling and carefully hides its command-and-control servers.
Additionally, the researchers report that Goffee mainly prefers to use the domain registrars Namecheap and NameSilo, as well as Russian IP addresses and hosting providers (MivoCloud, Aeza, XHost).
This tactic helps minimize the risk of detection because it disguises activity as that of an internal employee and allows bypassing geolocation-based traffic filtering. As a result, at an intermediate stage of the attack, the attackers deliver malware and set up covert connections while remaining unnoticed.
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →