AI-Generated Decoys & XLL Stealth: Inside the New "EchoGather" Cyber Espionage Campaign

A cyber-espionage group known for hunting Russian organizations has upgraded its arsenal, deploying malicious Excel add-ins to slip past defenses and install a new backdoor. A new report from Intezer reveals that the Paper Werewolf group (also known as GOFFEE) has adopted XLL files—a specialized type of Windows DLL used by Excel—to deliver a stealthy implant dubbed EchoGather.

The campaign, detected in late October 2025, marks a significant shift in tactics for the group, combining classic email lures with novel execution methods to target Russia’s high-tech and defense industries.

While macro-based malware has long been a staple of cybercrime, Paper Werewolf has pivoted to a more potent vector: the XLL file. Unlike standard spreadsheets, an XLL is essentially a compiled program that Excel loads directly into its memory.

“An XLL is a native Windows DLL that Excel loads as an add-in, allowing it to execute arbitrary code through exported functions like xlAutoOpen,” the report explains. Because these files run as native code, they bypass many of the security restrictions and “interpreted scripting” limitations that Microsoft has placed on traditional VBA macros.

What makes this specific campaign unique is how the malware decides when to strike. Instead of running immediately when the file opens—a behavior that often flags antivirus software—the malicious loader waits.

The researchers discovered that the malware’s logic is triggered only when a thread exits. “Triggering the malicious payload during DLL_THREAD_DETACH helps the malware evade detection by delaying execution until a thread exits,” the report states. This subtle delay allows the attack to bypass behavior-based detection systems that focus primarily on initial activity.

Once the loader executes, it drops the main payload: EchoGather. This custom-built backdoor is designed for reconnaissance and persistence.

“This DLL contains an embedded second-stage payload, a backdoor we named EchoGather,” the report notes. Once active, the malware “collects system information, communicates with a hardcoded command-and-control (C2) server, and supports command execution and file transfer operations”.

The malware communicates over HTTPS, using a hardcoded user agent string that mimics a food delivery service (dostavka/lavka/…) to blend in with legitimate traffic.

The campaign relied on spear-phishing emails carrying files with alarming names like “enemy’s planned targets” (Плановые цели противника.xll). However, the group’s tradecraft showed cracks.

The decoy documents, masquerading as official letters from the Russian Ministry of Industry and Trade, were riddled with errors that betrayed their artificial origins. “The PDF is AI-generated and contains several noticeable inconsistencies,” researchers observed. These included misspelled Russian words and a national emblem that looked more like a “distorted or bird-like figure” than the official double-headed eagle.

Despite these clumsy errors, the infrastructure clearly points to a known adversary. By analyzing the domains and specific exploits used—including a WinRAR vulnerability (CVE-2025-8088)—researchers linked the activity to Paper Werewolf.

“Based on the shared infrastructure, such as the ruzeda [.]com domain, as well as notable similarities in decoy document construction and the exploitation of the WINRAR vulnerability that leverages ADSs, we attribute this campaign to the Paper Werewolf (aka GOFFEE) threat group”.

The shift to XLL files indicates that while the group is prone to linguistic mistakes, they are actively evolving their technical toolkit. “The threat actor appears to be actively exploring new methods to evade detection, including the use of XLL-based delivery techniques and newly developed payloads”.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply