GOFFEE is a threat actor that first came to our attention in early 2022. Since then, Kaspersky researchers have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment.
Starting in May 2022 and up until summer of 2023, GOFFEE deployed modified Owowa (malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of explorer.exe via spear phishing. During the second half of 2024, GOFFEE continued to launch targeted attacks against organizations in Russia, utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that we dubbed “PowerModul”. The targeted sectors included media and telecommunications, construction, government entities, and energy companies.
Read more…
Source: Kaspersky
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Australia: Cyber attack takes major chicken processor Hazeldenes offline leaving businesses without meat
February 23, 2026
A cyber attack at major chicken meat processor Hazeldenes in central Victoria has led it to shutdown its wi-fi system on site, and a shortage of chicken at pubs and butchers across the state. Retail and industry have told the ABC that the chicken meat processor has been unable to fill some orders because it cannot ...
- AWS says more than 600 FortiGate firewalls hit in AI-augmented campaign
February 23, 2026
Cybercriminals armed with off-the-shelf generative AI tools compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, according to a new incident report from AWS. The campaign, which ran from mid-January to mid-February, relied less on clever zero-days and more on the equivalent of trying every digital door handle – just ...
- Massive Winos 4.0 Campaigns Target Taiwan
February 20, 2026
FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes. These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links. The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads. Fortinet researchers analysis ...
- Age verification vendor Persona left frontend exposed
February 20, 2026
Researchers investigating Discord’s age-verification checks say they discovered an exposed frontend belonging to Persona, the identity-verification vendor used by Discord. It revealed a far more expansive surveillance and financial intelligence stack than a simple “teen safety” tool. A short while ago we reported that Discord will limit profiles to teen-appropriate mode until you verify your age. ...
- ShinyHunters demands $1.5M not to leak Vegas casino and resort chain data
February 20, 2026
Las Vegas hotel and casino giant Wynn Resorts appears to be the latest victim of data-grabbing and extortion gang ShinyHunters. On Friday, the cybercrime crew listed the hospitality company on its blog, claiming to have stolen more than 800,000 records containing employees’ Social Security numbers and other private details. The extortionists set a February 23 deadline ...
- Ukrainian gets five years for helping North Koreans secure US tech jobs
February 20, 2026
Ukrainian national Oleksandr Didenko will spend the next five years behind bars in the US for his involvement in helping North Korean IT workers secure fraudulent employment. The 29-year-old played a role in supporting individuals working for a hostile regime to get contracts in the US. In November 2025, Didenko pleaded guilty to wire fraud and ...