Positive Technologies Analyzes the Toolset of APT Group Goffee

Red Dog Security

1 min read
Positive Technologies Analyzes the Toolset of APT Group Goffee

Specialists at Positive Technologies have revealed details of a previously undocumented toolset used by the hacker group Goffee (also known as Paper Werewolf). According to the researchers, these tools were deployed in the later stages of attacks, enabling the group to maintain long-term persistence inside victim networks while avoiding detection.

Throughout 2024, analysts investigated several incidents that shared common traits. Their findings allowed them to consolidate the malicious activity into a single cluster and attribute it to Goffee—a group active since at least 2022, known for targeting Russian organizations with phishing campaigns.

The report notes that Goffee’s operations have already had tangible consequences, including disruptions to business processes in some of the victim companies. Open-source information about the group remains scarce, in part because Goffee deliberately minimizes its exposure and focuses its operations geographically on Russia.

In the later stages of attacks, the group relies on a mix of newly developed and previously known tools. The toolkit includes:

  • Sauropsida rootkit – used for stealth and persistence.
  • DQuic and BindSycler – tunneling utilities for covert traffic.
  • MiRat – a backdoor for remote control.

In addition, Goffee continues to employ older tools:

  • Owowa – a malicious module for harvesting credentials.
  • PowerTaskel – a non-public agent built for the Mythic framework.

To complicate detection and analysis, the group uses a variety of obfuscation and packing techniques, including the Ebowla packer, the garbler obfuscator for Golang, and a custom encryption algorithm for both traffic and malicious files. Goffee also takes deliberate steps to conceal its command-and-control (C2) infrastructure.

Researchers note that the group primarily registers domains through Namecheap and NameSilo, and frequently uses Russian IP addresses and hosting providers such as MivoCloud, Aeza, and XHost.

This infrastructure strategy helps reduce the chance of exposure by making the traffic appear as if it originates from internal employees. It also allows attackers to bypass geolocation-based filtering, deliver malware, and establish hidden connections during the mid-stage of their attacks—all while staying under the radar.

Read more