Paper Werewolf APT Spreads EchoGather RAT via Fake Adobe Installer

Paper Werewolf’s latest operation leverages a deceptively familiar vector: a PDF that prompts users to install what appears to be an Adobe Acrobat update. The ZIP archive delivered by the PDF contains an Inno Setup‑packed executable that mimics Adobe’s installer UI, yet it silently extracts the EchoGather RAT. By embedding the malicious payload in a trusted‑looking document, the group increases click‑through rates among targeted Russian enterprises, especially those in the industrial, finance and transport sectors that rely heavily on PDF‑based workflows.

Beyond the initial drop, the malware chain exhibits advanced evasion and data‑exfiltration techniques. EchoGather now employs a “magic” parameter generated via the djb2 hash algorithm, only after passing anti‑virtualization checks, to obscure its C2 endpoint. The newly identified PaperGrabber stealer harvests a wide array of credentials—from browsers and VPN clients to Telegram session files—using Windows DPAPI decryption, and parcels data in 10 MB HTTPS chunks. Additional components, such as JavaScript shellcode downloaders and a C++‑based downloader masquerading as a flight‑school form, reinforce persistence and lateral movement capabilities.

The breadth of tools and the use of the Mythic framework, which offers RSA‑4096 key exchange and AES‑encrypted sessions, signal a mature threat actor capable of sustained espionage. For defenders, the campaign underscores the necessity of multi‑layered security: email sandboxing, PDF content inspection, and strict controls over unsigned installers. Continuous threat‑intel feeds and behavior‑based detection can help mitigate the risk posed by such sophisticated, region‑focused APT campaigns, protecting both critical infrastructure and sensitive corporate data.