Ddos 
System infection scheme via removable media | Image: Kaspersky Labs
The APT group GOFFEE has resurfaced with a revamped arsenal, launching targeted cyberattacks across Russia’s strategic sectors. According to a comprehensive new report from Kaspersky Labs, the group has pivoted from earlier tactics and adopted PowerModul, sophisticated spear-phishing lures, and custom Mythic agents to infiltrate critical networks.
GOFFEE initially gained attention in early 2022 and, until the summer of 2023, primarily deployed modified Owowa (a malicious IIS module) in their attacks. However, in 2024, the group shifted its tactics to deploying patched malicious instances of “explorer.exe” via spear phishing. Throughout the second half of 2024, GOFFEE persisted in launching targeted attacks against Russian organizations, employing PowerTaskel (a non-public Mythic agent written in PowerShell) and introducing a new implant called “PowerModul”.
GOFFEE’s targets span various sectors within Russia, including media and telecommunications, construction, government entities, and energy companies.
GOFFEE’s infection vectors are crafted for stealth. One campaign variant uses a .RAR archive containing a deceptive .pdf.exe file that opens a decoy document while launching malware. Another variant involves a malicious Word document with a VBA macro that writes a malicious HTA to the Windows registry:
This triggers the execution of the PowerModul PowerShell implant via a layered process of dropped JavaScript and encoded scripts.
PowerModul is a base64-encoded PowerShell payload embedded in UserCache.ini, designed to download and execute further malware. Its communications with the C2 server include a fingerprint string derived from the victim’s hostname, username, and disk serial number.
One intriguing feature is its OfflineWorker() function, which can execute embedded tools like FlashFileGrabber, a utility that steals data from USB drives—even when offline.
FlashFileGrabber is designed to steal files from removable media, such as flash drives. Researchers have identified two variants: FlashFileGrabber and FlashFileGrabberOffline.
- FlashFileGrabber searches for 40+ file types on removable media (.docx, .xls, .pdf, .zip, etc.), copies them to %TEMP%\CacheStore\connect\<Serial>\, and indexes them using ftree.db.
- FlashFileGrabberOffline is a variant for disconnected systems, while USB Worm infects USB drives by hiding legitimate files and replacing them with icons that launch PowerModul and a decoy document.
GOFFEE’s PowerShell-based PowerTaskel agent collects system data and executes arbitrary scripts. However, Kaspersky observed a shift towards a binary Mythic agent, delivered via HTA files launched by mshta.exe.
“Recently, we have observed that GOFFEE is increasingly abandoning the use of PowerTaskel in favor of the binary Mythic agent,” the report states.
The Mythic agent is packed in a polyglot HTA file, containing shellcode, PowerShell scripts, and obfuscated JScript. It is capable of privilege escalation, lateral movement via WinRM, and executing high-level tasks like deploying PsExec under SYSTEM privileges.
Kaspersky attributes this campaign to APT group GOFFEE with high confidence due to consistent malware artifacts, victimology, and infection chains. The group has specifically targeted Russian institutions from July to December 2024, maintaining a strong regional focus.
Related Posts:
- New Loki Backdoor Emerges: A Private Agent for Mythic Framework Unveiled
- Transparent Tribe APT Group’s New Arsenal: Mythic Poseidon, Linux, and C2 Takedown
- Doctors warn that medical implants may be the hacker’s future goals
- Microsoft Alerts of Novel SQL Server-Based Lateral Cloud Movement
About The Author
