Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs

This report analyzes a targeted cyber-espionage campaign attributed to Paper Werewolf (GOFFEE) that delivers a 64-bit backdoor called EchoGather via malicious Excel XLL add-ins and WinRAR path-traversal archives exploiting CVE-2025-8088; it describes the loader's DLL_THREAD_DETACH evasion, the backdoor's reconnaissance, beaconing and file transfer capabilities, C2 infrastructure, decoy documents, and provides hashes and other IOCs.