A newly discovered malware campaign is making waves in Russia’s cybersecurity landscape. A threat actor known as Paper Werewolf, also tracked under the alias Goffee. Has been using a sophisticated malware toolset to steal sensitive data from USB flash drives and carry out targeted cyber espionage.
Researchers at Kaspersky Lab recently revealed that Paper Werewolf has been deploying a never-before-seen PowerShell-based downloader, which they’ve named PowerModul. This implant is capable of covertly fetching additional payloads from command-and-control servers. Giving attackers a modular framework for flexible, stealthy operations.
USB Devices Now a Prime Target
One of the standout features of PowerModul is its ability to target removable media. Among its components is FlashFileGrabber, a tool that scans USB drives for documents and silently copies them to the compromised system’s local storage.
Another module, USB Worm, spreads the malware by infecting any flash drives connected to an infected device. Allowing Paper Werewolf to move laterally across systems via physical media, a tactic that significantly increases the malware’s reach, especially in air-gapped environments.
Kaspersky says the PowerModul campaign was observed between July and December 2024. Focusing on Russian entities in sectors including mass media, telecommunications, energy, construction, and government. Researchers believe the malware marks a shift in tactics for Paper Werewolf. Which previously relied heavily on email phishing and social engineering.
Seven Confirmed Campaigns and Destructive Capabilities of Paper Werewolf
Security experts at Russian cybersecurity firm BI.ZONE have attributed at least seven campaigns to Paper Werewolf in the past year alone. Their primary targets? Russian organizations operating in government, finance, energy, and media.
Historically, the group has impersonated trusted institutions like law enforcement or regulatory agencies to dupe victims into opening infected attachments. These attachments often contained malicious executables disguised as seemingly harmless PDFs or Word documents.
While espionage remains the group’s core objective, BI.ZONE also warned of destructive elements in Paper Werewolf’s arsenal. Some campaigns have included credential theft, unauthorized account access, and the deployment of a modified Owowa backdoor. A known webmail credential stealer designed to operate on Microsoft Exchange servers.
As threat actors evolve their tactics, Paper Werewolf’s use of USB-targeting malware shows how attackers are adapting to more secure or isolated environments. This campaign reflects a broader shift in cyber espionage strategy, focusing on persistence, stealth, and the ability to operate offline.
With the PowerModul framework now in active use, security analysts expect the group to continue refining its techniques—and expanding its victim pool. For now, experts urge organizations in critical sectors to review their removable media policies, update endpoint protection tools, and educate staff on recognizing social engineering tactics.
