Threat Research

Fortune-Telling on Goffee Grouds: Сurrent Tools and Features of the Goffee Group in Attacks on Russia

PTsecurity-ESC
Fortune-Telling on Goffee Grouds: Сurrent Tools and Features of the Goffee Group in Attacks on Russia

Goffee conducts stealthy, long-term intrusion campaigns primarily against Russian organizations, using a mix of older tools (owowa, PowerTaskel) and newly discovered later-stage tools (DQuic, MiRat, BindSycler, Sauropsida rootkit) to maintain persistence and minimize visibility. The group favors Russian IP addresses and hosting providers to blend with internal traffic and deliver/tunnel malware, enabling confident attribution through consistent packaging, network profile, and encrypted traffic patterns. #Goffee #DQuic

Keypoints

  • Goffee targets mainly Russian organizations and has been active for over two years with limited public visibility.
  • Newly discovered later-stage tools include DQuic, MiRat, BindSycler, and the Sauropsida rootkit.
  • Previously known tools such as owowa and PowerTaskel remain in use and relevant to investigations.
  • The group employs Russian IP addresses and local hosting providers to reduce detection and mimic internal actors.
  • Russian IPs are primarily used in intermediate stages for malware delivery and tunneling.
  • Consistent packaging patterns, network profile, and traffic-encryption characteristics enable high-confidence attribution to Goffee.
  • Attacks have caused tangible impacts, including disrupted business processes at Russian organizations.

MITRE Techniques

  • [T1071] Application Layer Protocol – Used for tunneling and Delivering malware via Russian-hosted infrastructure (“…used at intermediate stages—for delivering malware or setting up tunneling…”)
  • [T1090] Proxy or Tunneling – Establishing tunnels through Russian IP addresses and hosting to mask external access (“…setting up tunneling…”)
  • [T1574] Hijack Execution Flow / Rootkit – Deployment of the Sauropsida rootkit to maintain persistence and hide activity (“…Sauropsida rootkit…”)
  • [T1040] Network Sniffing / Traffic Encryption – Use of traffic-encryption characteristics to minimize visibility and evade detection (“…traffic-encryption characteristics…”)

Indicators of Compromise

  • [Tool names] Malware/tools observed – DQuic, MiRat, BindSycler, Sauropsida rootkit, owowa, PowerTaskel
  • [Network] IP/hosting profile – Russian IP addresses and local hosting providers used for delivery/tunneling (no specific IPs published)

Read more: https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/fortune-telling-on-goffee-grounds