The threat actor, also known as Goffee, has been active since at least 2022 and has changed its tactics and techniques over the years while targeting Russian organizations.
April 11, 2025 By Kristina Beek
A threat actor known as Paper Werewolf is using new malware to target Russian entities and steal sensitive files from flash drives.
The actor, also known as Goffee, was observed deploying the malware by researchers at Kaspersky Lab. The malware includes components that are designed to target removable media. Kaspersky said the previously undocumented implant, which it calls "PowerModul," is a PowerShell script downloader that can covertly download other components from command and control servers.
One of the components — FlashFileGrabber — steals files from flash drives or scans USB drives for documents before copying them to a local disk. USB Worm is another of these such components and operates by spreading PowerModul malware and infecting any flash drives that are connected to the device.
