A sophisticated threat actor known as Paper Werewolf has launched targeted cyberattacks against Russian organizations across industrial, financial, and transport sectors during a two-month campaign spanning March and April 2026. The group, which security researchers also track under the name GOFFEE, uses Russian-language phishing emails as the initial attack vector.

The attack chain begins when targets receive phishing emails containing PDF attachments. These documents embed malicious URLs that direct victims to download ZIP archives. The multi-stage delivery mechanism helps the attackers evade basic security controls that might flag direct malware attachments.

The ultimate payload is EchoGather, a remote access trojan that provides attackers with persistent control over compromised systems. The malware is disguised as a legitimate Adobe installer, exploiting user trust in familiar software brands. Once installed, EchoGather allows threat actors to execute commands, exfiltrate data, and maintain long-term access to victim networks.

The targeting of critical infrastructure sectors including industrial facilities, financial institutions, and transportation networks suggests the campaign may have strategic objectives beyond financial gain. Russian-language operations targeting Russian entities indicate either cybercriminal activity or potential false-flag operations designed to obscure attribution.

Organizations in the affected sectors should strengthen email security controls to detect and block phishing attempts, particularly those containing PDF attachments with embedded URLs. Security teams should monitor for suspicious Adobe installer executables and implement application whitelisting where possible. Employee security awareness training should emphasize the risks of opening unexpected attachments and following links in unsolicited emails, even when they appear to come from legitimate sources.

Source: https://gbhackers.com/paper-werewolf-apt/