Surge in Paper Werewolf Cyberattacks on Russian Targets

A troubling rise in espionage-driven attacks using Microsoft Windows Word documents has been confirmed, as threat intelligence analysts report an alarming surge in activity from the Paper Werewolf cluster, also known as GOFFEE. Since 2022, at least seven separate attack campaigns have been linked to this group, which specializes in infiltrating targets primarily for espionage purposes, including credential theft.

The Paper Werewolf, a sophisticated group of cybercriminals, has been particularly active in targeting Russian government entities, as well as key sectors like energy, finance, and media. The latest report, issued by BI.ZONE’s threat intelligence team, which collaborates with Interpol and is part of the International Committee of the Red Cross, highlighted a significant uptick in the group’s activity. According to the December 25 technical report, the Paper Werewolf cluster’s actions are showing an increasingly disruptive nature, with the group expanding its operations to ruin infrastructure beyond mere data theft. While the primary goal of the Paper Werewolf attackers remains espionage, their tactics have evolved, now including intentional disruptions of operations after successfully compromising initial credentials. This escalation is particularly concerning, as it demonstrates a shift towards malicious intent to cause chaos. As the report mentions, these attackers are no longer solely focused on stealing sensitive information but are also taking steps to damage the victim’s operations once they gain access.

The BI.ZONE report outlines the methods by which the Paper Werewolf group infiltrates its targets, with phishing being a primary vehicle. The cybercriminals employ deceptive emails impersonating trusted brands to distribute their malicious payload. These emails often contain a seemingly innocuous Microsoft Word document, which requires the recipient to enable macros to read the document’s content. If the user falls victim to the ruse and enables the macros, the document decrypts, and the malicious program is installed onto the victim’s device. Once inside the system, the attackers use various tools to deepen their access and collect data. One of the most commonly observed tactics is the use of PowerRAT, a remote access trojan (RAT), which grants the attackers control over the infected device. This allows them to execute commands, conduct reconnaissance, and, in some cases, retrieve sensitive credentials from services like Outlook Web Access.

In addition to these tools, the Paper Werewolf attackers have been reported to use customized software, which helps them avoid detection by traditional corporate defenses. By relying on their own tools, they make it more difficult for security teams to recognize and respond to the malicious activities taking place within compromised systems. The paper also provides insight into the broader impact of these attacks on Russian industries. Espionage-related attacks against Russian companies made up 21% of all reported incidents in 2024, a noticeable increase from just 15% the previous year. This shift indicates a growing concern for Russian businesses, especially those in sensitive sectors like energy and government. The increased frequency of these attacks is likely to put additional pressure on these organizations, especially if the attackers’ behavior continues to evolve towards more disruptive activities.

Oleg Skulkin, the head of threat intelligence at BI.ZONE, explained the seriousness of the situation: “In addition to infiltrating the victim’s IT infrastructure for data collection purposes, the adversaries have also been seen disrupting operations in the compromised system. They often change employee account passwords, a tactic commonly used by financially motivated attackers or hacktivists seeking to cause widespread disruption.” This shift in strategy indicates that the attackers may not always be financially motivated but are increasingly pursuing their objectives with a more malicious, politically motivated angle. Once they infiltrate a system, the Paper Werewolf group may not stop at data theft; they could also bring the system to a halt by locking accounts and demanding ransom or simply wreaking havoc for ideological reasons.

Given the evolving nature of Paper Werewolf’s methods, traditional cybersecurity measures may not be sufficient. However, threat intelligence experts agree that the key to mitigating the risk of these types of attacks lies in the basics of phishing awareness. The most effective defense against these attacks remains user vigilance and education. Employees must be trained to avoid opening unsolicited documents, particularly those that come with attachments or links asking for action such as enabling macros. Encouraging a culture of skepticism when dealing with unknown communications can go a long way in preventing an initial compromise. Additionally, businesses should continually update their threat intelligence systems to track new tactics and tools used by these sophisticated attackers.

A focus on macro-blocking in Microsoft Word, for instance, can prevent many of these attacks in their tracks. Disabling macros by default in Office documents is an essential step in fortifying defenses. Furthermore, businesses should deploy advanced monitoring and behavioral analysis tools that can identify unusual activities, such as unrecognized access to Outlook Web Access or unfamiliar login attempts, which could indicate a successful breach. In light of the Paper Werewolf attacks, there is an urgent need for organizations to rethink their approach to email security. As one of the most common vectors for malware delivery, email security remains a top priority for any security team. This includes more rigorous email filtering, monitoring for suspicious behavior, and regular employee training on phishing and social engineering tactics.

For organizations to stay ahead of attackers like Paper Werewolf, they need to continuously evolve their security strategies. Threat actors are increasingly using custom tools to bypass traditional security measures, which means that relying on basic, signature-based defense mechanisms is no longer enough. The threat posed by the Paper Werewolf attack group is more significant than ever, with attacks against Russian industries rising sharply in 2024. These attacks go beyond traditional espionage, with the group now actively seeking to disrupt operations and cause chaos within compromised systems. While it’s clear that the threat is growing, the most effective response lies in staying ahead of evolving tactics and ensuring that all employees are well-versed in recognizing phishing attempts. Through awareness, smart technology adoption, and collaboration with threat intelligence agencies, organizations can mitigate the risk posed by these increasingly sophisticated cybercriminals.

Microsoft has been approached for a statement on the matter, and further information may follow.