Language: English
Most threat intelligence treats Russia as a source of attacks. This talk examines Russia as a target. Paper Werewolf (aka GOFFEE) is a cyberespionage group with a sustained focus on Russian defense-industry and government organizations, and despite the group's activity level, it still flies under the radar. This talk presents a full technical teardown of a recent campaign, from the initial delivery mechanism to the implant, the exploitation chain, and the infrastructure that ties it to prior Paper Werewolf operations.
The loading mechanism is an XLL add-in, a delivery format that is not new but is rarely dissected in public research. We walk through the loader's DLL export structure, its time-delay sandbox evasion logic, and the unpacking chain leading to EchoGather, a backdoor we uncovered. We reverse EchoGather's XOR-encrypted string handling, C2 protocol, and command handler architecture. A parallel delivery chain exploits CVE-2025-8088, a WinRAR path traversal bug that abuses NTFS alternate data streams to silently drop a persistence script into the Windows Startup folder.
Beyond the binaries, the campaign has two details worth examining in their own right. The decoy documents impersonating the Russian Ministry of Industry and Trade contain clear AI-generated artifacts, offering a fingerprinting angle on how threat actors are incorporating generative AI into their operations. And to accelerate our own infrastructure analysis, we built a lightweight script on top of the Validin API using Claude Code, turning a manual correlation process into a systematic one. We will share the script, the methodology, and previously undisclosed indicators discovered after our public blog post.
There is a persistent blind spot in public threat intelligence: the overwhelming focus on Russia as the origin of attacks leaves little analysis of groups targeting Russian targets. Paper Werewolf, also tracked as GOFFEE, is a cyberespionage actor that has been quietly running operations against Russian defense-industry and government organizations for years. It occasionally surfaces in Russian-language security reporting but receives almost no attention in Western research, which means its tooling, techniques, and infrastructure evolution are largely undocumented in English. This talk is a detailed technical examination of a recent Paper Werewolf campaign and an attempt to close some of that gap.
The campaign begins with an XLL add-in submitted to VirusTotal from Ukraine and Russia in late October 2025, with filenames referencing enemy targeting data in Russian. XLL abuse is not a new concept; Excel add-ins have been weaponized for years, but public reversing walkthroughs of XLL-based campaigns in the wild are genuinely rare. This sample is a clean, mature example of the format being used by a capable actor. We start with how Excel loads and executes the DLL exports that make an XLL work, then move on to the specifics of this loader: the time-delay evasion technique designed to outlast sandbox execution windows and the unpacking chain that leads to the embedded payload.
That payload is EchoGather, a backdoor we named. We reverse it in full: the XOR-based string decryption routine, the C2 communication protocol, and the command handler table. We cover what each handler does and discuss how the implant is designed for the operational requirements of a long-running espionage campaign rather than a smash-and-grab intrusion.
A separate delivery chain discovered during analysis introduces a different technical angle. A RAR archive exploits CVE-2025-8088, a path-traversal vulnerability in WinRAR that exploits NTFS alternate data stream handling to write files outside the intended extraction path. The actor uses this to place a batch script directly in the Windows Startup folder, achieving persistence with no additional execution step required. We walk through the exploit mechanics at the file system level and connect it to the group's documented prior use of CVE-2025-6218, a related WinRAR vulnerability, showing how the exploitation tradecraft has evolved while the operational intent has stayed consistent.
The decoy documents dropped alongside EchoGather deserve their own section. Both impersonate official communications from the Russian Ministry of Industry and Trade, and both contain artifacts that point clearly to AI-assisted generation: a double-headed eagle emblem rendered with visible distortion errors, Cyrillic characters systematically substituted with visually similar Latin equivalents in ways a native speaker would never produce, and register inconsistencies throughout the text. We treat these documents as forensic artifacts and compare them against decoys from a previously reported Paper Werewolf campaign, showing how recurring mistakes and impersonation patterns function as a durable attribution signal even when the malware family or infrastructure rotates. The AI-generation angle is also worth discussing on its own terms: what does it tell us about how this actor is operationalizing generative AI, and what fingerprints does that leave behind?
On the analyst side, we used VirusTotal file relationship graphs and submission metadata to surface related samples and a broader campaign picture. For infrastructure correlation, we relied on Validin, using passive DNS records, banner hashes, and header fingerprints to connect domains and identify links to past Paper Werewolf activity. To make this repeatable, we built a lightweight script on top of the Validin API using Claude Code that systematizes the correlation process. We will show the tool, explain how it was built, and discuss how researchers can adapt the same approach for their own investigations. This is also a small but concrete illustration of using AI-assisted development to quickly build custom research tooling, something that is increasingly practical yet underutilized in the threat research community.
The talk will include previously undisclosed indicators and infrastructure findings developed after our public blog post, and all tools, YARA rules, and scripts used in the investigation will be shared with attendees.