Goffee hackers target Russian companies via phishing
Positive Technologies has identified a previously unknown toolkit used by the cybercriminal group known as Goffee. Deployed in the later stages of attacks, these tools helped the attackers remain hidden inside victim networks for extended periods. The group's operations have already caused serious disruptions, including temporary shutdowns of business operations at several Russian companies.
Throughout 2024, Positive Technologies experts investigated a series of incidents with similar characteristics. They linked this malicious activity into a single cluster attributed to the Goffee APT group, which has been targeting Russian organizations through phishing attacks since 2022.
The attacks have had tangible consequences: in several cases, affected companies experienced interruptions to core operations. There is very little public information about the group because its operators try to remain undetected and their campaigns are geographically limited, primarily targeting Russia.
Positive Technologies specialists were able to determine malicious tools the group used in the later stages of their attacks. To maintain remote control and evade detection, Goffee used several new tools, including the sauropsida rootkit, the DQuic and BindSycler traffic tunneling utilities, and the MiRat backdoor. The group also employed older tools, such as owowa, a malicious module for stealing user credentials, and PowerTaskel, a private agent for the Mythic framework.
The researchers identified the group's network profile: Goffee uses Russian IP addresses and hosting providers. This tactic reduces the likelihood of detection by making Goffee's activity look like that of an internal employee and helps bypass geolocation‑based traffic filtering. It helps the attackers to deliver malware and establish covert connections during the middle stages of an attack while remaining unnoticed.