A new campaign is targeting Russian military personnel and defense-industry organizations, according to new research from cybersecurity firm Intezer.
The activity came to light earlier in October after Intezer researchers identified a malicious XLL file uploaded to VirusTotal, first from Ukraine and later from Russia. The file, titled “enemy’s planned targets,” was designed to automatically execute malicious code when opened in Microsoft Excel.
Once activated, the file downloaded a previously undocumented backdoor that researchers named ‘EchoGather.’ The malware enabled attackers to collect system information, execute commands, and transfer files from infected machines. Stolen data was sent to a command-and-control (C&C) server disguised as a food delivery website.
Intezer attributed the campaign to a group known as ‘Goffee,’ also tracked as ‘Paper Werewolf,’ which has been active since at least 2022.
To lure victims, the attackers used phishing documents written in Russian. One lure posed as a fake invitation to a concert for senior military officers, but showed signs of artificial generation, including linguistic errors and a distorted imitation of Russia’s double-headed eagle emblem. Another document impersonated a letter from Russia’s Ministry of Industry and Trade, requesting pricing justification documents linked to state defense contracts.
It remains unclear how effective the campaign was or what specific information the attackers sought. Researchers said the group is experimenting with new techniques to evade detection but still shows gaps in technical execution and language accuracy.