Researchers at Positive Technologies reported the discovery of a previously unknown toolkit used by the Goffee hacker group (aka Paper Werewolf). It was employed in the later stages of attacks and allowed the attackers to remain undetected within victims’ infrastructure for a long time.
Throughout 2024, specialists investigated several incidents that shared similar characteristics. As a result of the analysis, the malicious activity was consolidated into a single cluster and attributed to Goffee, which has been targeting Russian organizations using phishing since 2022.
The report emphasizes that the group’s activities have already had tangible consequences: there have been recorded instances of business processes being halted at unnamed victim companies. It is also noted that there is very little information about Goffee in open sources, as the hackers strive to remain unnoticed, and geographically their attacks are primarily aimed at Russia.
Researchers report that during the later stages of the attacks, several new tools were used for remote control and to conceal their presence: the sauropsida rootkit, the DQuic and BindSycler traffic tunneling tools, and the MiRat backdoor.
At the same time, the group also employed older tools such as owowa, a malicious module used to harvest user credentials, and PowerTaskel — a non-public agent for the Mythic framework.
To hinder analysis, they use the Ebowla packer, the garbler obfuscator for Golang, as well as a proprietary algorithm for encrypting traffic and malicious files. Goffee also actively uses tools for traffic tunneling and carefully hides its command-and-control servers.
Additionally, the researchers report that Goffee mainly prefers to use the domain registrars Namecheap and NameSilo, as well as Russian IP addresses and hosting providers (MivoCloud, Aeza, XHost).
This tactic helps minimize the risk of detection because it disguises activity as that of an internal employee and allows bypassing geolocation-based traffic filtering. As a result, at an intermediate stage of the attack, the attackers deliver malware and set up covert connections while remaining unnoticed.