Beyond Macros: Paper Werewolf’s “EchoGather” Backdoor Exploits Excel XLLs
The Excel format—long regarded as a harmless office staple—is increasingly being exploited as an entry point for cyberattacks. At the center of this trend are XLL files, specialized Excel add-ins that are, in reality, native Windows DLL libraries capable of executing arbitrary code immediately upon loading. This very mechanism was leveraged in late 2025 by the cyber-espionage group known as Paper Werewolf, which targeted Russian organizations using a newly identified backdoor.
Although attackers began experimenting with XLL files in the late 2010s, the format surged in popularity after 2021, when it was widely adopted by both advanced persistent threat (APT) groups and the operators of well-known malware families such as Agent Tesla and Dridex. Unlike macros—which run within Excel’s constrained environment and are accompanied by security warnings—XLL add-ins are loaded directly as compiled Windows code and enjoy unrestricted system access. This makes them markedly more dangerous and significantly harder to detect.
In late October 2025, researchers uncovered suspicious XLL samples uploaded to VirusTotal. The files bore distinctly Russian-language titles—such as “Planned Targets of the Enemy.xll” and “Planned Targets of the Enemy DO NOT RUN.xll”—apparently designed to masquerade as internal documents and reduce the likelihood of triggering defensive scrutiny. Embedded within these XLL files was the second stage of the attack: a previously undocumented backdoor later dubbed EchoGather.
Once the Excel add-in is loaded, the malicious code does not activate immediately. Instead, it triggers at an unusual moment—when one of Excel’s threads terminates—allowing it to slip past behavioral defenses that focus on early execution stages. An executable payload is then quietly dropped onto the victim’s machine, where it begins collecting detailed system information and establishes contact with a command-and-control server.
EchoGather harvests a broad array of data, including IPv4 addresses, operating system type and architecture, the computer’s NetBIOS name, the username and workstation domain, process identifiers, executable paths, and a static version string labeled 1.1.1.1. This information is Base64-encoded and transmitted to the control server at regular intervals of several minutes. The backdoor is capable of executing commands, exfiltrating files, and writing data to the infected system at the operator’s direction; it functions reliably through proxies and deliberately ignores SSL certificate validation errors.
The campaign’s infrastructure was disguised behind seemingly innocuous domains, some of which initially routed traffic through Cloudflare before later migrating to IP addresses geographically associated with Russia. Beyond XLL add-ins, the attackers employed additional delivery vectors, including malicious WinRAR archives that exploited an NTFS alternate data streams vulnerability. When extracted, these archives could stealthily deposit files into sensitive system locations, including the Windows startup folder.
Simultaneously with the malware’s execution, victims were presented with decoy documents—purportedly official letters and invitations written in Russian. Closer inspection revealed telltale anomalies: incorrect Cyrillic characters (such as using “Д” instead of “Л”), misspellings like “праздиика” in place of “праздника,” and awkward phrasing—“with deep respect invites”—that sounded unnatural in formal business correspondence. In one document, the official seal featuring the state emblem appeared as a distorted double-headed eagle, further suggesting the possible use of generative tools.
Analysis of the supporting infrastructure, similarities among the lure documents, and overlaps in exploited vulnerabilities enabled researchers to attribute the campaign to Paper Werewolf, also known as GOFFEE. The group has previously relied on WinRAR vulnerabilities and focused on attacks against Russian entities; it now appears to be experimenting with new malware delivery formats, including XLL files.
This campaign is notable not only for its technical sophistication but also because public reporting on such attacks remains relatively rare. The use of XLL add-ins and a novel backdoor underscores the attackers’ intent to evade detection and circumvent defensive controls. Yet even amid these innovations, weaknesses remain visible—from careless linguistic camouflage to formulaic lure documents—indicating an operation still evolving and testing its tools in the wild.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
