Espionage cluster Paper Werewolf engages in destructive behavior
Dec. 26, 2024, 8:50 p.m.
Tags
External References
Description
The Paper Werewolf cluster, also known as GOFFEE, has increased its activity, targeting Russian organizations in government, energy, finance, and media sectors. Their primary method involves phishing emails with malicious Microsoft Word attachments containing macros. The group has evolved from cyber espionage to actively disrupting compromised infrastructures. They utilize PowerShell scripts, custom malware, and post-exploitation frameworks like Mythic. The attackers employ techniques such as reverse shells, credential interception, and destructive actions like changing passwords and deleting registry keys. Their arsenal includes tools like PowerRAT, Owowa, and Chisel. The group's sophisticated approach combines open-source frameworks with custom implants, making detection challenging.
Date
Published: Dec. 25, 2024, 8:12 p.m.
Created: Dec. 25, 2024, 8:12 p.m.
Modified: Dec. 26, 2024, 8:50 p.m.
Attack Patterns
Freyja
QwakMyAgent
PowerTaskel
Owowa
PowerRAT
Paper Werewolf
T1021.002
T1543.003
T1564.001
T1531
T1059.001
T1547.001
T1070.004
T1204.002
T1082
T1219
T1036
T1098
T1027
T1041
T1566
T1090
T1078
T1003
Additional Informations
Media
Energy
Finance
Government
Russian Federation