Listen to this Post
Cybersecurity researchers have uncovered a disturbing new tactic employed by the Paper Werewolf threat actor, also known as Goffee, which is now targeting Russian organizations with malware designed specifically to steal sensitive files from flash drives. Active since at least 2022, this sophisticated threat actor has significantly evolved its tactics and tools, showing a continuous shift in its cyberespionage strategies.
Emerging Threat: Flash Drive Malware
Kaspersky
The threat actor, believed to be primarily targeting Russian organizations, shifted its focus in late 2024. Between July and December of that year, Paper Werewolf primarily concentrated its efforts on industries such as mass media, telecommunications, construction, energy, and government entities. However, the introduction of PowerModul marked a significant change in tactics, hinting at a more targeted and sophisticated approach to cyber espionage.
Paper
BI.ZONE, a cybersecurity firm based in Russia, revealed that Paper Werewolf has executed at least seven campaigns, focusing on government, finance, energy, and media sectors. The group has traditionally relied on phishing emails to deploy malware, often impersonating Russian law enforcement or regulatory agencies to lure victims into opening malicious attachments. These attachments were typically disguised as PDF or Word documents but contained executables designed to deliver malware.
Cyber espionage has been the primary goal of Paper Werewolf, but BI.ZONE reports that the group has also engaged in destructive attacks, including changing credentials and accessing employee accounts. A modified version of the Owowa backdoor has been used in these campaigns, further enhancing the group’s ability to manipulate compromised networks and exfiltrate sensitive data.
What Undercode Says:
Paper Werewolf’s use of flash drives as a primary vector for malware delivery signals a troubling trend in cyber threats targeting physical media. While USB devices have long been a known vector for malware, the sophistication of PowerModul and its associated components underscores an evolving and more focused approach to cyber espionage. The ability of Paper Werewolf to silently spread across multiple systems via infected flash drives demonstrates a high level of technical skill and strategic planning.
What’s particularly concerning is how the threat actor has been able to adapt its tactics. Earlier in its campaign history, Paper Werewolf relied heavily on phishing schemes, a method that, while effective, can often be mitigated with proper awareness and training. Now, with the introduction of PowerModul, the group has shifted to leveraging physical devices to infiltrate organizations. Flash drives are commonly used across various sectors, making them an easy target for malware delivery, especially when users might be unaware of the risks.
This shift in strategy also points to a broader trend in the evolution of cyber threats. As traditional methods such as email phishing become more widely recognized and defended against, attackers are moving towards more stealthy and hard-to-detect techniques. By embedding malware into PowerShell scripts, which can bypass traditional antivirus software, Paper Werewolf has enhanced its ability to remain undetected while conducting espionage and stealing sensitive data.
Moreover, the fact that Paper Werewolf is specifically targeting sectors like media, government, and energy is not accidental. These industries often handle sensitive and high-value information, making them prime targets for state-sponsored actors. The ongoing conflict between Russia and Ukraine, coupled with rising tensions in the global geopolitical landscape, suggests that Paper Werewolf’s activities could be linked to larger geopolitical motives, possibly driven by state-backed objectives.
This adaptation from phishing to malware-laden flash drives is a reminder that cybersecurity measures must evolve in tandem with threat actors’ strategies. As attackers become more innovative in exploiting physical devices, organizations must step up their security protocols to protect both their digital and physical infrastructures.
Fact Checker Results:
1. Paper
2. Flash Drive Targeting:
- Historical Campaigns: BI.ZONE’s analysis of Paper Werewolf’s past campaigns, particularly their focus on government and media sectors, aligns with the observed tactics and targets reported in multiple security studies.
References:
Reported By: www.darkreading.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





