BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.recon.cx//recon-2026//talk//AAPSD9
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-recon-2026-AAPSD9@cfp.recon.cx
DTSTART;TZID=EST:20260620T150000
DTEND;TZID=EST:20260620T153000
DESCRIPTION:Most threat intelligence treats Russia as a source of attacks. 
 This talk examines Russia as a target. Paper Werewolf (aka GOFFEE) is a cy
 berespionage group with a sustained focus on Russian defense-industry and 
 government organizations\, and despite the group's activity level\, it sti
 ll flies under the radar. This talk presents a full technical teardown of 
 a recent campaign\, from the initial delivery mechanism to the implant\, t
 he exploitation chain\, and the infrastructure that ties it to prior Paper
  Werewolf operations.\n\nThe loading mechanism is an XLL add-in\, a delive
 ry format that is not new but is rarely dissected in public research. We w
 alk through the loader's DLL export structure\, its time-delay sandbox eva
 sion logic\, and the unpacking chain leading to EchoGather\, a backdoor we
  uncovered. We reverse EchoGather's XOR-encrypted string handling\, C2 pro
 tocol\, and command handler architecture. A parallel delivery chain exploi
 ts CVE-2025-8088\, a WinRAR path traversal bug that abuses NTFS alternate 
 data streams to silently drop a persistence script into the Windows Startu
 p folder.\n\nBeyond the binaries\, the campaign has two details worth exam
 ining in their own right. The decoy documents impersonating the Russian Mi
 nistry of Industry and Trade contain clear AI-generated artifacts\, offeri
 ng a fingerprinting angle on how threat actors are incorporating generativ
 e AI into their operations. And to accelerate our own infrastructure analy
 sis\, we built a lightweight script on top of the Validin API using Claude
  Code\, turning a manual correlation process into a systematic one. We wil
 l share the script\, the methodology\, and previously undisclosed indicato
 rs discovered after our public blog post.
DTSTAMP:20260612T181001Z
LOCATION:Grand Salon Opera
SUMMARY:Paper Werewolf's Toolbox: Reversing XLL Delivery\, EchoGather\, and
  a WinRAR Exploit Chain Targeting Russia - Nicole Fishbein
URL:https://cfp.recon.cx/recon-2026/talk/AAPSD9/
END:VEVENT
END:VCALENDAR