A little-known cyberespionage group has launched a new campaign targeting Russian military personnel and defense-industry organizations, according to new research.

The campaign surfaced earlier in October after researchers at the New York-based cybersecurity firm Intezer identified a malicious XLL file uploaded to VirusTotal, first from Ukraine and later from Russia. The file, titled “enemy’s planned targets,” was designed to automatically execute malicious code when opened in Excel.

When launched, the file downloaded a previously undocumented backdoor dubbed EchoGather, which allowed attackers to collect system information, execute commands and transfer files. The stolen data was sent to a command-and-control server disguised as a food delivery website.

While the group, Goffee, has been active since at least 2022, public reporting by Western researchers on cyber operations targeting Russian organizations remains relatively uncommon due to limited visibility into Russian networks.

To entice victims, Goffee hackers relied on phishing lures written in Russian, including a fake invitation to a concert for senior military officers, Intezer said in a report on Friday. That document, however, showed clear signs of artificial generation, including linguistic errors and a distorted imitation of Russia’s double-headed eagle emblem that looked more like a generic bird than the national crest.

Another lure impersonated a letter from a deputy at Russia’s Ministry of Industry and Trade, requesting pricing justification documents related to state defense contracts. The letter was addressed to large defense and high-tech enterprises, which Intezer said were likely the intended targets.

It is unclear how successful the attacks were or what specific information the hackers were seeking.

“The threat actor appears to be actively exploring new methods to evade detection,” the researchers said. “However, there are still clear gaps in both technical execution and linguistic accuracy, indicating that their tradecraft is still developing.”

Goffee, also known as Paper Werewolf, has been active since at least 2022 and is believed by researchers to be pro-Ukrainian, though its exact origin has not been confirmed. Most previous reporting on the group has come from Russian cybersecurity companies.

In April, Kaspersky reported that Goffee used custom malware to steal sensitive files from USB flash drives connected to Russian systems. In August, BI.ZONE said the group had exploited a zero-day vulnerability alongside a known flaw in the WinRAR file archiver in attacks on Russian organizations.

While espionage remains the group’s primary objective, BI.ZONE has previously noted at least one case in which the attackers disrupted operations inside a compromised network.