While tracking Dark Caracal’s activity, we discovered an ongoing campaign targeting public and private sector entities in multiple Spanish-speaking countries. We refer to the malicious campaign of attacks that leverage both Owowa and the email-based intrusion chain against common targets in Russia as “GOFFEE”. This group has been referenced as a “cyber mercenary threat group” due to the variety of targets and the apparent targeting of multiple governments in its campaigns. This email contained a link leading to a password-protected archive hosted on Google Drive, which represented the first stage of the infection – a .NET binary that was obfuscated and trying to pass itself off as an OpenVPN binary, when in fact it was a malware loader.