Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
Paper Werewolf APT Group Deploys PowerModul Implant in Targeted Russian Cyberattacks
Advanced threat actor Paper Werewolf (also known as GOFFEE) has been conducting sophisticated cyberattacks against Russian entities using a new PowerShell-based implant called PowerModul. The campaign targeted organizations in mass media, telecommunications, construction, government entities, and energy sectors between July and December 2024. According to a new Kaspersky report released April 11, 2025, these attacks employed various initial infection vectors including macro-laced Office documents and executable files masquerading as PDFs or Word documents. The implant is designed to communicate with command-and-control servers to receive and execute additional payloads, with further capabilities for lateral movement and data exfiltration. This analysis examines the attack chain, technical indicators, the PowerModul implant functionality, and provides mitigation recommendations.
Threat Summary
- Threat Actor: Paper Werewolf (aka GOFFEE)
- Target Geography: Russian Federation
- Target Sectors: Mass media, telecommunications, construction, government, energy
- Initial Access: Phishing emails with malicious Office macros or disguised executables
- Primary Malware: PowerModul (PowerShell-based implant)
- Secondary Payloads: PowerRAT, PowerTaskel, QwakMyAgent, Mythic agent, FlashFileGrabber
- Campaign Period: July – December 2024
- Threat Severity: High
- Data Impact: Espionage, credential theft, information exfiltration
Technical Analysis of the Paper Werewolf Campaign
On April 11, 2025, Kaspersky published a new report detailing the activities of the threat actor known as Paper Werewolf (also called GOFFEE). According to the research, this advanced persistent threat (APT) group has conducted at least seven campaigns since 2022, with the most recent activity occurring between July and December 2024. The latest campaign employed a previously undocumented PowerShell-based implant called PowerModul to target organizations in critical Russian sectors.
Paper Werewolf’s operations are notable for combining espionage capabilities with disruptive elements, such as changing employee account passwords. Their attacks demonstrate sophisticated social engineering, custom malware development, and the use of legitimate tools for malicious purposes—characteristics typical of well-resourced threat actors.
The technical sophistication of this threat is comparable to other PowerShell-based campaigns like those analyzed in our ClickFix Malicious PowerShell Commands article, though with a much higher degree of customization and targeting. What differentiates this campaign is the exclusive focus on Russian entities and the use of multiple custom tools in a sophisticated attack chain.
Based on technical analysis of Paper Werewolf’s tactics, their attack can be broken down into two distinct operational stages:
Stage 1: Initial Infection and Payload Deployment
The first stage begins with a phishing email containing a malicious RAR archive. When extracted and interacted with, the following sequence occurs:
- The RAR file contains Word documents with embedded VBA macros
- Upon opening and enabling macros, the infection process activates
- The malicious macro drops two primary components:
- An HTA (HTML Application) file into the UserCache.bin/hta location
- PowerModul script payload into UserCache.bin
- The HTA component is placed in %APPDATA% path (typically C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows)
- An additional registry entry is created to establish persistence
The use of HTA files is particularly effective as a bypass technique since these files can execute both JavaScript and VBScript with the full privileges of the user while appearing as legitimate HTML applications. This approach helps evade traditional antivirus detection that might focus on more common file types.
Stage 2: Multi-Stage Execution Chain and Secondary Payloads
The second stage involves a sophisticated multi-step execution chain designed to deploy additional malware components while evading detection:
- The previously dropped HTA file from UserCache.bin/hta executes
- This HTA executes a CMD/BAT file with specific command-line arguments
- The batch file drops and executes a JS (JavaScript) file stored in UserCache/helper.bin.js
- When the JavaScript executes, it launches PowerShell with obfuscated command-line arguments
- PowerShell executes the PowerModul implant which establishes communication with its command and control server
- After C2 communication is established, several secondary payloads are deployed:
- PowerTaskel: Advanced PowerShell-based backdoor connecting to its own C2 infrastructure
- FlashFileGrabber: Module specifically designed to target removable media for data theft
- USB Worm: Component designed to infect connected USB drives to spread laterally across air-gapped networks
This complex execution chain makes detection challenging as it transitions through multiple interpreters and scripting engines: HTA → batch files → JavaScript → PowerShell → final PowerModul implant. Each transition provides an opportunity to obfuscate the attack, and each component can be updated independently to avoid detection as security vendors adapt their signatures.
The modular nature of the attack framework allows Paper Werewolf to deploy different secondary payloads depending on their specific objectives within the targeted environment, making this a highly adaptable and persistent threat.
Attack Vectors and Infection Chain
Kaspersky’s analysis reveals two primary infection vectors used by Paper Werewolf in their latest campaign:
- Malicious RAR Archives with Double-Extension Executables:
- Phishing emails contain RAR archives with executable files masquerading as PDFs or Word documents using double extensions (e.g., filename.pdf.exe)
- When executed, the malware shows a legitimate document as decoy while proceeding with the infection in the background
- The executable is actually a patched Windows system file (explorer.exe or xpsrchvw.exe) containing malicious shellcode
- This shellcode carries an obfuscated Mythic agent that immediately connects to the C2 server
- Office Documents with Malicious Macros:
- Phishing emails contain RAR archives with Microsoft Office documents embedded with malicious VBA macros
- When opened and macros enabled, the document acts as a dropper for PowerModul
- The VBA macro extracts and executes the PowerShell-based PowerModul implant
- PowerModul establishes persistence and begins communicating with the C2 server
These techniques are reminiscent of those seen in attacks using BeaverTail JavaScript malware, where initial infection relies on social engineering, deceptive file naming, and script-based downloaders. The use of legitimate-looking documents as decoys is a common tactic in targeted attacks, making them particularly dangerous for enterprises.
PowerModul Implant Analysis
PowerModul is a sophisticated PowerShell-based implant that serves as the primary tool in Paper Werewolf’s arsenal. First observed in early 2024, this malware has been continuously developed and improved with additional capabilities:
| Capability | Implementation | Purpose |
|---|---|---|
| Command & Control Communication | Encrypted HTTPS requests to C2 servers | Receive and execute additional PowerShell scripts from the attacker’s infrastructure |
| Payload Delivery | PowerShell script execution capability | Deploy secondary payloads including PowerTaskel, FlashFileGrabber, and USB infection modules |
| Persistence | Registry modifications and scheduled tasks | Maintain access to compromised systems after reboot |
| Removable Media Targeting | Monitoring for USB device insertion | Exfiltrate data from removable media and spread infection to other systems |
| Lateral Movement | PsExec utility, network shares access | Spread through the network to other systems, using PowerTaskel and binary Mythic agents |
| Data Exfiltration | File transfer protocols over HTTPS | Steal sensitive information from compromised networks |
| Authentication Disruption | Account manipulation | Change employee passwords to cause disruption and affect business operations |
| Defense Evasion | PowerShell obfuscation techniques | Avoid detection by security solutions and analysis |
The design of PowerModul shows similarities to other Remote Access Trojans (RATs) such as those documented in our Triton RAT Malware and Lilith RAT Removal articles. However, PowerModul is more focused on providing an initial foothold and deploying additional specialized tools rather than containing all functionality in a single component. This modular approach makes detection and analysis more challenging for security teams.
Secondary Payloads and Associated Tools
After establishing initial access through PowerModul, Paper Werewolf deploys several specialized tools to expand control over the compromised network and exfiltrate sensitive data:
- PowerTaskel: A more advanced PowerShell implant that can execute PowerShell scripts received from the C2 server, gather system information, and execute additional commands. It uses PsExec for privilege escalation and lateral movement.
- FlashFileGrabber: Specialized module designed to steal files from removable media such as USB drives, automatically exfiltrating data to the C2 server when such devices are connected.
- FlashFileGrabberOffline: A variant of FlashFileGrabber that operates without constant C2 connectivity by storing stolen files locally in a temporary folder (“%TEMP%\CacheStore\connect\”) for later exfiltration.
- USB Worm: Malware component that replicates PowerModul to removable drives to facilitate infection spreading across air-gapped networks or to other systems when the drives are used elsewhere.
- FolderFileGrabber: An advanced data theft tool that can target not only local and removable drives but also remote network shares using the SMB protocol with hardcoded credentials.
- Binary Mythic Agent: An implementation of the open-source Mythic command and control framework, which provides more robust capabilities than PowerShell-based implants and is increasingly being used for lateral movement.
The use of the Mythic framework is particularly notable as it aligns with trends observed in other APT campaigns, including those with backdoor functionalities. Mythic provides attackers with a powerful, extensible command and control infrastructure that can be customized for specific operational needs.
Indicators of Compromise (IoCs)
Organizations should monitor for the following indicators of compromise that may suggest a Paper Werewolf attack:
| Indicator Type | Value | Description |
|---|---|---|
| File Pattern | Double extension executables (*.pdf.exe, *.doc.exe) | Initial infection vector disguising executables as documents |
| System Files | Modified explorer.exe or xpsrchvw.exe | Windows system files patched with malicious shellcode |
| Folder Path | %TEMP%\CacheStore\connect\ | FlashFileGrabberOffline data storage location |
| Process Behavior | PsExec usage for lateral movement | Technique used by PowerTaskel for privilege escalation |
| Script Execution | Obfuscated PowerShell scripts | PowerModul and related components typically use obfuscation |
| Network Activity | Encrypted HTTPS communications to new domains | Command and control traffic to attacker infrastructure |
| USB Activity | Unexpected file access when USB devices are connected | FlashFileGrabber accessing files on removable media |
| Account Changes | Unexplained password changes or account lockouts | Result of Paper Werewolf’s disruptive activities |
Organizations should implement comprehensive monitoring for these indicators, similar to the approach detailed in our Malware Removal Comprehensive Guide. Early detection is critical for preventing the full compromise of network infrastructure.
Mitigation and Protection Recommendations
To protect against Paper Werewolf and similar advanced threat actors, organizations should implement the following security measures:
- Disable Macros by Default: Configure Microsoft Office to disable macros by default, especially those from external sources, to prevent initial infection through macro-enabled documents.
- Implement Application Control: Use application whitelisting to prevent execution of unauthorized programs, including modified system files with embedded malicious code.
- Deploy Advanced Email Security: Implement solutions that can detect and block phishing attempts containing malicious attachments or links to prevent the initial infection vector.
- Monitor PowerShell Activity: Enable comprehensive PowerShell logging and monitor for suspicious script execution, particularly obfuscated scripts that may indicate PowerModul or PowerTaskel activity.
- Restrict Removable Media: Implement controls for USB and removable media usage to prevent infection via USB worm components and data exfiltration through FlashFileGrabber.
- Network Segmentation: Implement proper network segmentation to limit lateral movement capabilities if a system becomes compromised.
- Regular Credential Rotation: Implement regular password changes and strong multi-factor authentication to mitigate the impact of credential theft and account manipulation.
- Enable Extended Detection and Response (XDR): Deploy solutions that can correlate suspicious activities across endpoints, network, and cloud to detect sophisticated attack patterns.
- Regular Security Awareness Training: Educate employees about the risks of opening attachments or enabling macros in documents from unknown sources.
- Implement a Robust Incident Response Plan: Develop and regularly test incident response procedures specific to targeted attacks to ensure rapid containment if an infection occurs.
For more comprehensive protection against advanced threats, consider reviewing our Spyware Removal Guide which provides additional defensive strategies applicable to sophisticated tools like PowerModul.
Related APT Threats and Campaigns
According to Kaspersky’s report, another threat actor called Sapphire Werewolf was also observed conducting campaigns against Russian targets. This group’s activities involved distributing an updated version of the open-source Amethyst Stealer that targets credentials from various applications including:
This activity shares similarities with information-stealing campaigns analyzed in our GiftedCrook Stealer Technical Analysis, with both focusing on credential theft and data exfiltration, though employing different tools and techniques.
Another notable parallel can be drawn to the BeaverTail JavaScript malware attributed to North Korean threat actors, which Kaspersky mentioned in the same report. While using different technical approaches, both Paper Werewolf and the North Korean campaigns show increasing sophistication in targeting specific geographies with customized toolsets.
Conclusion
The Paper Werewolf campaign targeting Russian entities represents a sophisticated cyber espionage operation with significant technical capabilities. The development and deployment of custom tools like PowerModul demonstrates the threat actor’s advanced skills and resources. What makes this campaign particularly notable is the combination of espionage capabilities with disruptive elements, like password changes, showing a dual-purpose approach to their operations.
Organizations, particularly those in the targeted sectors and regions, should implement the recommended security measures to protect against these threats. The modular nature of the attack framework and its reliance on PowerShell make it challenging to detect and mitigate without proper security controls and monitoring in place.
As threat actors continue to evolve their tactics and tools, maintaining robust security practices, implementing defense-in-depth approaches, and staying informed about emerging threats will be crucial for organizations looking to defend against sophisticated attacks like those conducted by Paper Werewolf. The trend of APT groups developing custom, modular malware frameworks designed for specific targets highlights the need for adaptive security strategies that can respond to these evolving threats.
