Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

CISA adds four important vulnerabilities to the KEV catalog through aggressive exploitation

Fortnite Maker Epic Games resolves anti-trust cases against Samsung

ChatGpt is testing a mysterious new feature called “Study Together.”

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Paper Werewolf deploys PowerModul implants for targeted cyberattacks in Russian sector
Identity

Paper Werewolf deploys PowerModul implants for targeted cyberattacks in Russian sector

userBy userApril 11, 2025No Comments4 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Paper Werewolf Deploys PowerModul Implants

A threat actor known as Paper Werewolf has been observed targeting Russian groups with a new implant called PowerModul.

The activities that took place between July and December 2024 have picked out organizations in the mass media, telecommunications, construction, government agencies and energy sectors, Kaspersky said in a new report released Thursday.

Paper Wedwolf, also known as Goffee, is rated as having run at least seven campaigns since 2022, according to bi.zone, and is primarily targeted at government, energy, finance, media and other organizations.

The attack chain attached by threat actors has been observed to incorporate destructive components, and intrusions go beyond the distribution of malware and change passwords belonging to employee accounts.

The attack itself is initiated via a phishing email containing the macro race lure document. When a macro opens and enables it, it begins to deploy PowerShell-based Remote Access Trojan, known as Powerrat.

Cybersecurity

The malware is designed to provide the following payload, a custom version of the Mythic Framework agent known as PowerTaskel and Qwakmyagent: Another tool in Arsenal in The Threat Actor is the malicious IIS module called Owowa. This is used to retrieve the Microsoft Outlook credentials entered by the web client user.

The latest attack set documented by Kaspersky begins with malicious RAR archive attachments containing executables using a Double Extension (*.pdf.exe or *.doc.exe) using PDF or Word documents. When the executable starts, the decoy file is downloaded from a remote server and displayed to the user, and the infection proceeds to the next stage in the background.

“The file itself is a Windows system file (Explorer.exe or xpsrchvw.exe), with some of the code patched with malicious shellcode.” “Shellcode is similar to what we saw in previous attacks, but also includes an obfuscated mythical agent that immediately begins communicating with the Command and Control (C2) server.”

Paper Werewolf Deploys PowerModul Implants

The alternative attack sequence is much more elaborate, using a RAR archive that embeds Microsoft Office documents using a macro that acts as a dropper for deploying and launching PowerModul, a PowerShell script that can receive and execute additional PowerShell scripts from a C2 server.

The backdoor is said to have been in use since its inception in 2024, and threat actors first use it to download and run PowerTaskel on the compromised host. Some of the other payloads dropped by PowerModul are listed below –

Removable media with a copy of flashfilegrabber PowerModul, which is used to steal files such as flash-driven, a variant of FlashFileGrabber that steals files from removable media such as flash drives and searches for media that can place files with specific extensions, and copies them to a local disk within “cacheStore \cate furm in fund in the scuckestre \in focused fow in full in full in full in the scuckestre \checestore”.

PowerTaskel is functionally similar to PowerModul in that it is designed to run PowerShell scripts sent from a C2 server. However, you can also send information about the target environment in the form of a “check-in” message, or run other commands received from the C2 server as tasks. You are also ready to escalate privileges using the PSEXEC utility.

Cybersecurity

In at least one example, it is known that PowerTaskel not only replicates FlashFileGrabber functionality, but also uses the FolderFileGrabber component, which includes the ability to collect files over a hard-coding network path using the SMB protocol.

“For my first infection, I used a word document using a malicious VBA script for the first time,” says Kaspersky. “Recently, Guffy has observed that he is increasingly abandoning the use of Powertaskel in favour of binary mythology agents during lateral movements.”

This development is now attributed to another threat group that Bi.Zone is called Sapphire Werewolf, which is caused by a phishing campaign.

Steeler said “gets credentials from various browsers like Telegram, Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa and Edge Chromium, as well as Filezilla and SSH configuration files,” said the Russian company, which also has documents that contain media stored on removable media.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticlePractical Lab: The Key to Accelerating CMMC 2.0 Compliance
Next Article Google lays out hundreds of people on Android, Pixel and Chrome units in a strategic AI push
user
  • Website

Related Posts

CISA adds four important vulnerabilities to the KEV catalog through aggressive exploitation

July 8, 2025

The SEO addiction campaign targets over 8,500 SMB users with malware disguised as AI tools

July 7, 2025

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

July 7, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

CISA adds four important vulnerabilities to the KEV catalog through aggressive exploitation

Fortnite Maker Epic Games resolves anti-trust cases against Samsung

ChatGpt is testing a mysterious new feature called “Study Together.”

iOS 26 Beta 3 Dial Back Liquid Glass

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Meta’s Secret Weapon: The Superintelligence Unit That Could Change Everything 

Unlocking the Power of Prediction: The Rise of Digital Twins in the IoT World

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.