Paper Werewolf Strikes Critical Infrastructure: Deconstructing the EchoGather RAT and PaperGrabber Campaign

Between March and April 2026, a sophisticated Russian-speaking threat actor identified as Paper Werewolf (also tracked as GOFFEE) initiated a highly targeted campaign against critical infrastructure. The primary targets included Russian industrial, financial, and transport sectors, utilizing a diverse suite of custom-built tools designed for persistence, data theft, and remote command execution.

This latest wave demonstrates a significant leap in operational maturity, moving beyond simple phishing toward a complex, multi-stage execution chain that incorporates anti-analysis techniques and advanced post-exploitation frameworks.

Phishing email (Source : BI.ZONE).
Initial Phishing Vector (Source: BI.ZONE).

Phase 1: The Social Engineering Hook & EchoGather RAT

The intrusion begins with a precision-engineered phishing email. The payload is delivered via a PDF attachment containing a malicious URL. This link directs the victim to a ZIP archive—masquerading as Adobe_Reader_RU.zip or Adobe_Reader.zip—hosted on the attacker-controlled domain ntpluck[.]online.

Upon clicking the “Install Update” prompt within the PDF, the user downloads an executable titled Adobe_Acrobat_Reader_Plugin_ru.exe. This file is built using the Inno Setup installer, providing a highly convincing, legitimate-looking UI. However, while the user sees a standard plugin installation, the installer silently deploys the EchoGather Remote Access Trojan (RAT). To maintain the illusion of normalcy, a decoy document named Requirement.pdf is launched simultaneously.

Technical Analysis of EchoGather:
Once active, EchoGather performs comprehensive system profiling, harvesting local IP addresses, hostnames, usernames, process IDs, and file paths. This metadata is exfiltrated via HTTPS (POST method) to the C2 server at ntpsum[.]online on port 443. The RAT provides full interactive capabilities, including file upload/download and remote command execution via cmd.exe.

A critical update in this version involves a more stealthy C2 communication logic. Researchers at BI.ZONE have noted that the threat actors removed explicit proxy configurations. Instead, they implemented a “magic” parameter calculated using the djb2 hashing algorithm. Crucially, this calculation only occurs after the malware successfully clears anti-virtualization checks, ensuring the C2 channel remains hidden from automated sandbox analysis.

Phishing PDF (Source : BI.ZONE).
Malicious PDF Interface (Source: BI.ZONE).

Phase 2: PaperGrabber – The Targeted Stealer

Parallel to the RAT deployment, the cluster introduced a new, custom-coded VB.NET stealer dubbed PaperGrabber. This tool is specifically optimized for high-value data exfiltration, targeting ntptop[.]online for its C2 communications.

PaperGrabber’s capabilities include:

  • Document Harvesting: Systematic searching for PDFs, Office documents, SSH keys, VPN configurations, and cryptographic certificates across local drives, network shares, and removable media.
  • Browser & Messaging Exploitation: Extraction of saved credentials from Chromium-based browsers (Chrome, Edge, Opera, Yandex) via Windows DPAPI decryption, and the theft of Telegram session data by copying the tdata directory.
  • Stealthy Exfiltration: Data is chunked into 10 MB segments to avoid triggering network anomaly alerts during HTTPS transmission. Activity logs are reported in real-time to an attacker-managed Telegram bot.

Phase 3: Persistence and Advanced Post-Exploitation

The Paper Werewolf ecosystem utilizes several specialized loaders to maintain a foothold:

JavaScript-Based Persistence:
The group uses a disguised Node.js environment (disguised as yandex.exe) to run JavaScript components named vain and vain1. These establish persistence via the Windows Registry (HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LOAD) and initiate an infinite retry loop every 43–57 seconds to pull shellcode from zeccecard[.]com.

C++ & VBScript Loaders:
A C++ downloader disguised as a flight school application (Форма заявки на обучение.exe) was observed performing environment checks (drive serial numbers and sandbox usernames) before pulling payloads from arrotech[.]org. Additionally, a VBScript-based .NET downloader leverages MSBuild to execute in-memory payloads retrieved from woburneast[.]com every 30 seconds, a technique designed to bypass traditional file-based scanning.

The Mythic Framework Integration:
The most alarming aspect of this campaign is the continued refinement of custom implants built for the Mythic framework. These shellcode-based implants utilize RSA-4096 for key exchange and AES for session encryption. They support over 30 sophisticated commands, including process injection, SOCKS proxy tunneling, and Beacon Object Files (BOF) execution, marking Paper Werewolf as a top-tier, operationally mature threat actor.

Форма заявки.docx decoy (Source : BI.ZONE).
Decoy Document: Форма заявки.docx (Source: BI.ZONE).

Indicators of Compromise (IoCs)

Note: The following IoCs are defanged to prevent accidental execution.

Malicious URLs

  • hxxps://ntpluck[.]online/29mNqbkQB96clqjJMRsdVKa94ILLxbFclUe3wf4KSx0rRPtI9M/download/eeab4aec6ad3b271c303d927db55de273bbca008ebf00e06898336c6f3010296
  • hxxps://ntpsum[.]online/sum/M8suINj3ZFi22GMAUdCJH639vDrI2G4zdTWm2rpE5plxsr17Eg
  • hxxps://ssltop[.]online/l402XY5rTBxLPOJDTnqlRCePwy2puTnieDSFVaHEKOyb0Eqh3y/download/32712a3f7ec72fac4535b47017135a72b4994ee69440eff95221fed673d41fdc
  • hxxps://certcalc[.]online/certificate/calculate/G8OftO2lyUuRHa8wBuqR7wcOfAcirSnrp0PCsA3ST17RjjL7JQ
  • hxxps://ntptop[.]online/VaukY9uSiPjpylxpDeTXQgmh0QLy2Q9I8kYY6OFyt0wFqz3yZF/upload
  • hxxps://zeccecard[.]com/116739/person_image/1167273647/48980/cis8petition/0201787911?asdzq
  • hxxps://zeccecard[.]com/grain/duke
  • hxxps://arrotech[.]org/pathclass/33205/freehash/katy
  • hxxps://woburneast[.]com/171751/20020722/1306wicadigi023.pdf
  • hxxps://woburneast[.]com/t2376/dom/fwcookiemanager/bs_afp/872794

Malicious Domains

  • ntpluck[.]online
  • ntpsum[.]online
  • ssltop[.]online
  • certcalc[.]online
  • ntptop[.]online
  • zeccecard[.]com
  • arrotech[.]org
  • woburneast[.]com

Related Articles

Back to top button