A sophisticated Russian-language cyber threat cluster known as Paper Werewolf, also referred to as GOFFEE, has initiated a significant series of targeted cyberattacks against various Russian industrial, financial, and transport organizations during the period from March to April 2026. This new wave of cyber intrusions highlights an alarming trend in the evolution of threat capabilities in the cyber landscape.
The attack vector employed by these malicious actors commences with a phishing email that includes a PDF attachment designed to entice victims. Within this PDF lies a URL leading to a ZIP archive titled either Adobe_Reader_RU.zip or simply Adobe_Reader.zip, both hosted on infrastructure controlled by the attackers at hxxps://ntpluck[.]online. The deception continues as the victim is prompted to click an “Install Update” button within the document, resulting in the automatic download of the ZIP file.
Within the downloaded ZIP file resides an executable named Adobe_Acrobat_Reader_Plugin_ru.exe, meticulously crafted with Inno Setup to closely resemble a legitimate Adobe Acrobat plug-in installation process. However, behind this plausible facade, the malicious installer silently extracts and activates the EchoGather remote access trojan (RAT). In an effort to evade detection, it also includes a harmless document labeled Requirement.pdf as a decoy.
Once activated, EchoGather begins its malicious operations by collecting vital system information such as the local IP address, computer name, username, process ID, and file paths. It then exfiltrates this data to its command-and-control (C2) server at ntpsum[.]online over port 443 using HTTPS through the POST method. Additionally, EchoGather facilitates file uploads and downloads while allowing attackers to execute various commands via cmd.exe, enhancing their control over compromised systems.
Security researchers at BI.ZONE have noted that this attack represents a multi-stage campaign that features the convincing fake Adobe Reader installer tailored specifically to deploy the EchoGather RAT discreetly. Furthermore, they report the addition of a newly identified custom credential stealer, referred to as PaperGrabber, alongside advanced post-exploitation tools built for the Mythic framework.
In a notable evolution of tactics, Paper Werewolf has removed explicit proxy configurations from EchoGather, introducing a calculated “magic” parameter instead. This new value is generated using the djb2 hashing algorithm only after the malware successfully navigates anti-virtualization checks, thereby increasing the evasion capabilities of the C2 communication before it is established.
In parallel to the RAT campaign, researchers have uncovered PaperGrabber, a previously undocumented malware written in VB.NET. This tool specializes in credential and file theft operations and is designed to function stealthily, thereby evading detection. It specifically targets an extensive array of sensitive file types, including PDFs, Office documents, SSH keys, VPN configurations, and cryptographic certificates from local drives, network shares, and removable media. Additionally, it collects Telegram session data by copying the tdata directory and extracts saved credentials from popular web browsers—including Chrome, Edge, Opera, Yandex Browser, and Chromium—utilizing Windows DPAPI decryption. The stolen data is sent in 10 MB segments to the C2 server over HTTPS, while logs of the thieves’ activities are reported to an attacker-controlled Telegram bot.
The operational tactics of Paper Werewolf further extend into the deployment of JavaScript shellcode downloaders, disguised within a Node.js environment and camouflaged as fake applications. The malware establishes persistence through Windows registry modifications and continuously downloads shellcode payloads in an infinite retry loop. Moreover, a C++ downloader masquerading as a flight school training application form was detected in April 2026, showcasing the group’s adaptability.
Critical to the operational capabilities of Paper Werewolf is their advancement of custom Mythic post-exploitation implants. The latest shellcode-based implant utilizes RSA-4096 key exchange followed by AES session encryption, boasting support for over 30 commands—including process injection, keylogging, SOCKS proxy tunneling, registry manipulation, screenshot capture, and buffer overflow (BOF) execution. This advanced level of sophistication underscores Paper Werewolf as one of the most highly capable and operationally mature threat actors currently active within the Russian-language threat landscape.
In summary, as outlined through extensive reports on their evolving tactics and tools, Paper Werewolf exemplifies a significant threat that leverages sophisticated techniques to infiltrate critical infrastructure. With an array of potent malware at its disposal, including the EchoGather RAT and the PaperGrabber stealer, this cyber threat group poses a substantial challenge for the cybersecurity community, indicating a pressing need for robust defense mechanisms to mitigate the risks posed by such advanced adversaries. Thus, awareness and vigilance remain paramount to safeguarding valuable assets against these emergent cyber threats.