GOFFEE is a threat actor that first came to our attention in early 2022. Since then, Kaspersky researchers have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment.
Starting in May 2022 and up until summer of 2023, GOFFEE deployed modified Owowa (malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of explorer.exe via spear phishing. During the second half of 2024, GOFFEE continued to launch targeted attacks against organizations in Russia, utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that we dubbed “PowerModul”. The targeted sectors included media and telecommunications, construction, government entities, and energy companies.
Read more…
Source: Kaspersky
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- France: Daughter of crypto boss escapes Paris kidnap attempt in latest in series of attacks
May 14, 2025
Passers-by helped to foil the attempted kidnapping by armed assailants of the daughter and grandson of a French cryptocurrency boss in Paris, in a brazen daytime attack that was caught on camera. The incident prompted Paymium, the Crypto firm owned by the father of the woman targeted, to demand “protections” for companies in France’s cryptocurrency sphere. ...
- DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt
May 14, 2025
In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. DarkCloud employs multi-stage payloads and obfuscated ...
- M&S warns shoppers are at risk from scammers after cyber attack
May 14, 2025
Marks & Spencer has warned shoppers to be on the lookout for scam calls and emails after hackers stole customer data from its systems. The retailer is this week writing to customers to alert them that personal data have been taken by cyber criminals, including partial credit card details, contact information, dates of birth and order ...
- Horabot Unleashed: A Stealthy Phishing Threat
May 12, 2025
In April, FortiGuard Labs observed a threat actor using phishing emails with malicious HTML files to spread Horabot, malware that primarily targets Spanish-speaking users. It is known for using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking ...
- Mitel Releases Security Advisory for Mitel SIP Phones
May 12, 2025
Mitel has released security advisory addressing two vulnerabilities in Mitel SIP Phones including Mitel 6800 Series, 6900 Series, 6900w Series and 6970 Conference Unit. CVE-2025-47188 has a CVSSv3 base score of 9.8 and is a ‘command injection’ vulnerability that could allow an unauthenticated attacker to inject and execute arbitrary commands on the device. Exploitation could lead ...
- Marbled Dust leverages zero-day in Output Messenger for regional espionage
May 12, 2025
Since April 2024, the threat actor that Microsoft Threat Intelligence tracks as Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger, a multiplatform chat software. These exploits have resulted in collection of related user data from targets in Iraq. Microsoft Threat ...