Threat Intel Solutions

 [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)April 11, 2025 1 Min Read  Source: Moviestore Collection Ltd via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/paper-werewolf-targets-flash-drives-new-malware)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/paper-werewolf-targets-flash-drives-new-malware)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/paper-werewolf-targets-flash-drives-new-malware)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/paper-werewolf-targets-flash-drives-new-malware&title=Paper%20Werewolf%20Threat%20Actor%20Targets%20Flash%20Drives%20With%20New%20Malware)[](mailto:?subject=Paper Werewolf Threat Actor Targets Flash Drives With New Malware&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Paper%20Werewolf%20Threat%20Actor%20Targets%20Flash%20Drives%20With%20New%20Malware%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fpaper-werewolf-targets-flash-drives-new-malware) NEWS BRIEFA threat actor known as Paper Werewolf is using new malware to target Russian entities and steal sensitive files from flash drives.The actor, also known as Goffee, [was observed](https://securelist.com/goffee-apt-new-attacks/116139/) deploying the malware by researchers at Kaspersky Lab. The malware includes components that are designed to target removable media. Kaspersky said the previously undocumented implant, which it calls ‘PowerModul,’ is a PowerShell script downloader that can covertly download other components from command and control servers. One of the components — FlashFileGrabber — steals files from [flash drives](https://www.darkreading.com/cyberattacks-data-breaches/sogu-snowydrive-malware-usb-based-cyberattacks-surge) or [scans USB drives](https://www.darkreading.com/threat-intelligence/usb-drives-spyware-china-mustang-panda-apt-global) for documents before copying them to a local disk. USB Worm is another of these such components and operates by spreading PowerModul malware and infecting any flash drives that are connected to the device.The threat actor has been singling out organizations in mass media, telecommunications, construction, government entities, and energy sectors from July to December of 2024 before shifting its tactics with the introduction of PowerModul, according to Kaspersky researchers. Researchers at Russian cybersecurity firm BI.ZONE said Paper Werewolf has conducted at [least seven campaigns](https://bi-zone.medium.com/espionage-cluster-paper-werewolf-engages-in-destructive-behavior-fd8781418ada), mostly aimed at government, energy, finance, and media organizations.In the past, Paper Werewolf typically used phishing emails with malicious documents, impersonating well-known Russian institutions such as law enforcement or regulatory bodies to lure in its victims. The malicious email attachments contained executables disguised as PDF and Word documents. Though cyber espionage remains the group’s main objective, BI.ZONE said the Paper Werewolf has alos engaged in destructive attacks. Its attack chains have included gaining access to employee accounts and changing credentials as well as using a modified version of the Owowa backdoor. Read more about:[News Briefs](/keyword/news-briefs) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/paper-werewolf-targets-flash-drives-new-malware)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/paper-werewolf-targets-flash-drives-new-malware)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/paper-werewolf-targets-flash-drives-new-malware)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/paper-werewolf-targets-flash-drives-new-malware&title=Paper%20Werewolf%20Threat%20Actor%20Targets%20Flash%20Drives%20With%20New%20Malware)[](mailto:?subject=Paper Werewolf Threat Actor Targets Flash Drives With New Malware&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Paper%20Werewolf%20Threat%20Actor%20Targets%20Flash%20Drives%20With%20New%20Malware%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fpaper-werewolf-targets-flash-drives-new-malware) About the Author—————- [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)
Skilled writer and editor covering cybersecurity for Dark Reading. [See more from Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [My Server is Secure. Why Should I Bother about my Mobile App?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_guas12&ch=SBX&cid=_upcoming_webinars_8.500001539&_mc=_upcoming_webinars_8.500001539)Apr 15, 2025* [VPNs, RMMs, and Beyond: How Are Attackers Adapting?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_goog82&ch=SBX&cid=_upcoming_webinars_8.500001544&_mc=_upcoming_webinars_8.500001544)Apr 16, 2025* [Identifying Third-Party Risk Using Threat Intelligence](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_bits16&ch=SBX&cid=_upcoming_webinars_8.500001538&_mc=_upcoming_webinars_8.500001538)Apr 17, 2025* [Top 5 Most Dangerous Security Vulnerabilities](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_okta39&ch=SBX&cid=_upcoming_webinars_8.500001537&_mc=_upcoming_webinars_8.500001537)Apr 22, 2025* [Find and Fix Application Vulnerabilities… At Cyber Speed](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7896&ch=SBX&cid=_upcoming_webinars_8.500001549&_mc=_upcoming_webinars_8.500001549)Apr 23, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events)You May Also Like*** ** * ** ***[Threat Intelligence’Storm-1865′ Impersonates Booking.com in Phishing Scheme](https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme) [Threat IntelligencePentagon, CISA Deny Change in US Cyber Policy on Russia](https://www.darkreading.com/threat-intelligence/pentagon-cisa-deny-change-us-cyber-policy-russia) [Threat IntelligenceAttackers Exploit Critical Atlassian Confluence Flaw for Cryptojacking](https://www.darkreading.com/threat-intelligence/attackers-exploit-critical-atlassian-confluence-flaw-for-cryptojacking) [Threat IntelligenceFortune 50 Co. Pays Record-Breaking $75M Ransomware Demand](https://www.darkreading.com/threat-intelligence/fortune-50-company-pays-record-breaking-75m-ransomware-demand)

Related Tags:
NAICS: 23 – Construction

NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 71 – Arts

Entertainment

Recreation

NAICS: 211 – Oil And Gas Extraction

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 21 – Mining

Quarrying

Oil And Gas Extraction

NAICS: 713 – Amusement

Gambling

Recreation Industries

NAICS: 513 – Publishing Industries

NAICS: 517 – Telecommunications

Associated Indicators: