Netcrook Logo
👤 AGONY
🗓️ 22 Dec 2025   🌍 Europe

Phantom Invites and Faked Eagles: The Cyber Saboteurs Stalking Russia’s Military Elite

A shadowy hacker group used bogus New Year concert invitations to infiltrate the Russian defense sector, exposing new fronts in the global cyberespionage war.

On a chilly October morning, a seemingly innocuous invitation landed in the inboxes of Russian military brass - a glitzy summons to a New Year’s concert, complete with official-sounding language and the familiar double-headed eagle crest. But the invitation was a ruse, and the eagle a poorly drawn imposter. By the time unsuspecting recipients opened the attached Excel file, it was already too late: a silent backdoor had slipped into their systems, ready to siphon secrets out from the heart of Russia’s defense machine.

Cybersecurity researchers at Intezer, a New York-based firm, first uncovered the campaign after spotting a suspicious XLL file on VirusTotal, uploaded from both Ukraine and Russia. The file, brazenly titled “enemy’s planned targets,” acted as a trojan horse: once opened in Excel, it downloaded EchoGather, a stealthy backdoor that granted attackers remote access to the compromised machine.

The attackers’ ingenuity lay in their social engineering. They crafted phishing lures in Russian, targeting high-value personnel with fake event invites and forged ministry letters. Yet, cracks were visible: the language was off, and the national emblem looked more like clip art than a symbol of state power. These errors, researchers say, hint at the group’s ongoing efforts to refine its tactics - and perhaps its origins outside Russia.

Goffee, which has previously drawn the attention of Russian cybersecurity companies, is no stranger to custom malware. Past attacks saw them exploiting obscure vulnerabilities and even stealing files from USB drives on Russian networks. While espionage remains their main goal, there’s evidence they’ve also disrupted operations, signaling a willingness to cross the line from spying to sabotage.

The most recent campaign also highlights a growing trend: as the Russia-Ukraine conflict drags on, cyber operations once shrouded in secrecy are surfacing more often - and targeting the very core of Russia’s defense establishment. Yet, the true impact of Goffee’s latest ploy remains unclear. Were secrets stolen? Were operations compromised? For now, the answers are hidden behind the digital curtain.

As cyber battle lines shift and new actors emerge, the story of Goffee’s fumbled fakes and evolving malware is a reminder: in the high-stakes world of cyberespionage, even the smallest invitation can be a Trojan horse - and the next big breach may be just a click away.

WIKICROOK

  • Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • XLL File: An XLL file is a Microsoft Excel add-in that adds custom features, but can also be misused by hackers to deliver malware or malicious code.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
Cybersecurity Phishing Goffee
AGONY AGONY
Elite Offensive Security Commander
← Back to news