The Paper Werewolf cluster, also known as GOFFEE, has increased its activity, targeting Russian organizations in government, energy, finance, and media sectors. Their primary method involves phishing emails with malicious Microsoft Word attachments containing macros. The group has evolved from cyber espionage to actively disrupting compromised infrastructures. They utilize PowerShell scripts, custom malware, and post-exploitation frameworks like Mythic. The attackers employ techniques such as reverse shells, credential interception, and destructive actions like changing passwords and deleting registry keys. Their arsenal includes tools like PowerRAT, Owowa, and Chisel. The group's sophisticated approach combines open-source frameworks with custom implants, making detection challenging.