A sophisticated Russian-language threat cluster known as Paper Werewolf (also tracked as GOFFEE) has launched a fresh wave of targeted cyberattacks against Russian industrial, financial, and transport organizations between March and April 2026.
The attack begins with a phishing email carrying a PDF attachment. Embedded inside the PDF is a URL pointing to a ZIP archive named either Adobe_Reader_RU.zip or Adobe_Reader.zip hosted on attacker-controlled infrastructure at hxxps://ntpluck[.]online.
When the victim clicks the “Install Update” button in the PDF, the archive is automatically downloaded.
Inside the ZIP is an executable called Adobe_Acrobat_Reader_Plugin_ru.exe, crafted using Inno Setup.
The installer mimics a legitimate Adobe Acrobat plug-in installation process, complete with a convincing interface, but silently extracts and launches the EchoGather RAT alongside a harmless Requirement.pdf decoy document to avoid suspicion.
Once deployed, EchoGather collects critical system details local IP address, computer name, username, process ID, and file path and exfiltrates this data to its command-and-control (C2) server at ntpsum[.]online over port 443 using HTTPS (POST method). It can also upload and download files and execute attacker commands via cmd.exe.
Security researchers at BI.ZONE said in a report shared with GBhackers, a multi-stage campaign featuring a convincing fake Adobe Reader installer designed to silently deploy the EchoGather remote access trojan (RAT), alongside a newly identified custom stealer and advanced post-exploitation tooling built for the Mythic framework.
In this latest version, Paper Werewolf made a notable change: the threat actor removed explicit proxy configuration from EchoGather’s settings and replaced it with a “magic” parameter.
This value is calculated using the djb2 hashing algorithm only after the malware successfully passes anti-virtualization checks adding an extra layer of evasion before the C2 communication channel is established.
Paper Werewolf APT
Alongside the RAT campaign, researchers discovered a previously undocumented stealer written in VB.NET, now dubbed PaperGrabber, connecting to infrastructure at ntptop[.]online.
The malware is a highly capable credential and file theft tool designed to operate silently while evading detection.
PaperGrabber targets a broad range of sensitive file types including PDFs, Office documents, SSH keys, VPN configurations, and cryptographic certificates from local drives, network shares, and removable media.
It also harvests Telegram session data (copying the tdata directory) and extracts saved credentials from browsers, including Chrome, Edge, Opera, Yandex Browser, and Chromium using Windows DPAPI decryption.
All exfiltrated data is chunked into 10 MB segments before being sent to the C2 server over HTTPS, while activity logs are reported to an attacker-controlled Telegram bot.
Paper Werewolf execution also deployed a JavaScript shellcode downloader using a disguised Node.js environment complete with a fake yandex.exe (actually a Node.js interpreter).
The vain and vain1 JS components establish persistence through the Windows registry (HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWindowsLOAD) and download shellcode from hxxps://zeccecard[.]com in an infinite retry loop every 43–57 seconds.
A separate C++ downloader disguised as a flight school training application form (Форма заявки на обучение.exe) was detected in April 2026.
Форма заявки.docx decoy (Source : BI.ZONE).It performs anti-virtualization checks against drive serial numbers and known sandbox usernames before downloading shellcode payload from arrotech[.]org, embedding the victim’s username and hostname in the request URL.
A VBScript-based .NET assembly downloader was also observed using MSBuild to load and execute in-memory .NET payloads retrieved from woburneast[.]com every 30 seconds.
Most critically, Paper Werewolf continues advancing its custom Mythic post-exploitation implants.
The latest shellcode-based implant communicates using RSA-4096 key exchange followed by AES session encryption, and supports 30+ commands including process injection, keylogging, SOCKS proxy tunneling, registry manipulation, screenshot capture, and BOF execution.
This level of technical sophistication confirms that Paper Werewolf remains one of the most capable and operationally mature threat actors currently active in the Russian-language threat landscape.
Indicators of compromise
URLs
hxxps://ntpluck[.]online/29mNqbkQB96clqjJMRsdVKa94ILLxbFclUe3wf4KSx0rRPtI9M/download/eeab4aec6ad3b271c303d927db55de273bbca008ebf00e06898336c6f3010296hxxps://ntpsum[.]online/sum/M8suINj3ZFi22GMAUdCJH639vDrI2G4zdTWm2rpE5plxsr17Eghxxps://ssltop[.]online/l402XY5rTBxLPOJDTnqlRCePwy2puTnieDSFVaHEKOyb0Eqh3y/download/32712a3f7ec72fac4535b47017135a72b4994ee69440eff95221fed673d41fdchxxps://certcalc[.]online/certificate/calculate/G8OftO2lyUuRHa8wBuqR7wcOfAcirSnrp0PCsA3ST17RjjL7JQhxxps://ntptop[.]online/VaukY9uSiPjpylxpDeTXQgmh0QLy2Q9I8kYY6OFyt0wFqz3yZF/uploadhxxps://zeccecard[.]com/116739/person_image/1167273647/48980/cis8petition/0201787911?asdzqhxxps://zeccecard[.]com/grain/dukehxxps://arrotech[.]org/pathclass/33205/freehash/katyhxxps://woburneast[.]com/171751/20020722/1306wicadigi023.pdfhxxps://woburneast[.]com/t2376/dom/fwcookiemanager/bs_afp/872794
Domains
ntpluck[.]onlinentpsum[.]onlinessltop[.]onlinecertcalc[.]onlinentptop[.]onlinezeccecard[.]comarrotech[.]orgwoburneast[.]com
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
