First identified in early 2022, GOFFEE has evolved from deploying modified Owowa (malicious IIS module) to implementing more sophisticated attack techniques utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, alongside the newly discovered PowerModul tool. The technical sophistication of PowerModul, combined with GOFFEE’s persistent targeting of critical infrastructure in Russia, demonstrates how threat actors continue to evolve their tactics and tools to compromise high-value targets while maintaining operational security. The threat actor known as GOFFEE has escalated its malicious campaign in 2024, introducing a new implant dubbed “PowerModul” to target government entities and energy organizations primarily located in Russia. PowerModul’s versatility stems from its ability to deploy additional malicious tools, including FlashFileGrabber, which steals files from removable media by creating hierarchical folders in the user’s TEMP directory with naming patterns like “%TEMP%\CacheStore\connect\”. Another concerning payload is the USB Worm capability, which infects removable drives by hiding original files and creating malicious shortcuts that appear legitimate but execute PowerModul when clicked. The infection chain typically follows one of two paths: either a patched system file (explorer.exe or xpsrchvw.exe) with malicious shellcode is executed, or a macro-enabled document drops PowerModul components onto the victim’s system. Securelist researchers identified this malware campaign during the second half of 2024, noting that GOFFEE has updated its distribution schemes while introducing the previously undescribed PowerModul implant. GOFFEE’s attacks begin with spear phishing emails containing malicious attachments, typically RAR archives with either executable files masquerading as documents or Microsoft Office documents with malicious macros. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The worm selects up to five recently accessed files as decoys, creating a sophisticated social engineering attack vector for spreading across air-gapped networks. Once executed, these files initiate a complex infection chain, ultimately delivering PowerModul as the primary payload. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A seven-year-old vulnerability in Cisco networking equipment continues to pose significant security risks, enabling attackers to execute remote code on unpatched systems. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Apr 2025 18:00:21 +0000