Researchers warn about ‘Goffee’ spilling onto Russian flash drives
A little-known hacking group is using custom malware to steal sensitive files from flash drives connected to Russian computers, according to cybersecurity researchers.
The group — labeled Goffee by Russian cybersecurity firm Kaspersky — has deployed a tool dubbed PowerModul that includes components designed specifically to target removable media.
One such component, FlashFileGrabber, steals files from flash drives or scans USB drives for documents and quietly copies them to a local disk. Another, USB Worm, spreads PowerModul malware by infecting any connected flash drives.
The tools are part of a broader cyber-espionage campaign that has been active since at least 2022, targeting Russian media and telecom companies, government agencies, construction firms and energy providers, Kaspersky said.
Goffee is also tracked as Paper Werewolf, and so far has only been described by Russian cybersecurity companies, including BI.ZONE. Kaspersky had not responded to a request for comment regarding the group's possible ties to known threat actors.
Kaspersky said the group's latest activity spanned from July to December 2024, marking a shift in tactics with the introduction of PowerModul — a backdoor that can receive and execute additional scripts from a remote server.
PowerModul was initially thought to be just a secondary loader for another implant called PowerTaskel, but researchers now consider it a standalone tool because it uses its own unique command-and-control infrastructure.
Kaspersky and BI.ZONE say the hackers typically use phishing emails with malicious archives. These emails often impersonate well-known Russian institutions, including law enforcement and regulatory bodies. The attachments usually contain executables disguised as PDF or Word documents.
Although espionage remains Goffee’s primary objective, BI.ZONE noted at least one instance where the attackers disrupted operations within a compromised network.
Between May 2022 and mid-2023, the group also used a modified version of the Owowa backdoor, a credential-stealing malware that targets Outlook Web Access servers.
While Owowa malware may have been developed by a Chinese-speaking threat actor, researchers haven’t publicly attributed the campaign to China.
Western researchers make no mention of Paper Werewolf in their reports, likely due to limited visibility into Russian networks.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.