Introduction
GOFFEE is a threat actor that has targeted entities in the Russian Federation since early 2022, employing spear phishing emails with malicious attachments, including modified Owowa and patched explorer.exe. They have utilized PowerTaskel, a non-public Mythic agent in PowerShell, and introduced a new implant called “PowerModul” for attacks against sectors such as media, telecommunications, and government. GOFFEE has increasingly shifted to a binary Mythic agent for lateral movement and has incorporated Word documents with malicious VBA scripts in their infection chains. The group has demonstrated a consistent evolution in their TTPs while maintaining identifiable characteristics that attribute their campaigns with high confidence.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- PowerDuke
- POWERSTATS
- Agent.btz
- Power Loader
- POWERSOURCE
- PowerRAT
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.