Security researchers have identified a new cyber-espionage operation conducted by a little-known threat group, with Russian military members and defense-industry entities emerging as the primary targets.

Researchers at Intezer, a cybersecurity company headquartered in New York, uncovered the campaign earlier in October after spotting a malicious XLL file on VirusTotal. The file, uploaded first from Ukraine and subsequently from Russia, carried the name “enemy’s planned targets” and was designed to execute harmful code automatically upon being opened in Excel.

Upon activation, the malicious file installed an undocumented backdoor dubbed EchoGather, granting threat actors the ability to collect system information, execute remote commands, and transfer files. The harvested data was covertly sent to a command-and-control server camouflaged as a legitimate food delivery service.

Goffee has operated since at least 2022, but public disclosures by Western security researchers about cyber operations aimed at Russian entities remain infrequent, reflecting the challenges of gaining visibility into Russian network environments.

Intezer said in its Friday report that Goffee hackers crafted phishing messages in Russian, using a fabricated concert invitation targeting high-ranking military officers as bait. However, the document appeared artificially generated, marked by language errors and a distorted imitation of Russia’s double-headed eagle that failed to accurately replicate the national emblem.

Intezer reported that a separate lure impersonated correspondence from a deputy within Russia’s Ministry of Industry and Trade, seeking pricing justification materials related to government defense contracts. The letter was sent to large defense and high-tech enterprises, which researchers believe were the campaign’s primary targets. 

Researchers have not determined the success rate of the attacks, nor have they identified the specific data the attackers were trying to access.

“The threat actor appears to be actively exploring new methods to evade detection,” the researchers said. “However, there are still clear gaps in both technical execution and linguistic accuracy, indicating that their tradecraft is still developing.”

Researchers believe Goffee—also known as Paper Werewolf—has operated since at least 2022 and likely holds pro-Ukrainian leanings, but its exact provenance has yet to be established. To date, the majority of reporting on the group has been produced by Russian cybersecurity companies.

Kaspersky revealed in April that Goffee had used bespoke malware to steal confidential files from USB drives plugged into Russian computers. In a separate report published in August, BI.ZONE said the group also combined a zero-day exploit with an existing WinRAR vulnerability in attacks against Russian entities.

BI.ZONE has noted that while the group primarily conducts espionage activities, there has been at least one instance where the attackers went beyond intelligence gathering and disrupted operations inside an infiltrated network.