The hacker group Librarian Ghouls, also known as Rare Werewolf, has compromised hundreds of Russian devices for covert cryptocurrency mining. This was reported by experts from Kaspersky Lab.
Infection Method
The perpetrators gained access to systems through phishing emails. These emails are disguised as messages from legitimate organizations and appear as official documents or payment orders.
Once a computer is infected with malware, the hackers establish a remote connection and disable security systems, including Windows Defender. They then configure the device to automatically turn on at one in the morning and off at five in the morning. According to Kaspersky Lab, this allows the perpetrators to conceal their activities from the user.
During this time, they also steal credentials. Before launching the miner, the perpetrators gather system information: RAM size, number of processor cores, and graphics card data. This enables them to optimally configure the program for cryptocurrency mining. While the miner is running, the hackers maintain communication with the pool, sending requests every minute.
When the Attacks Began
The campaign began in December 2024 and continues to this day. Hundreds of Russian users have been affected, mainly industrial enterprises and technical universities. Isolated cases have been recorded in Belarus and Kazakhstan.
The origin of the group has not been established. Analysts noted that the phishing emails are written in Russian, contain archives with Russian names, and include decoy documents. This suggests that the campaign likely targets Russian-speaking users or residents of Russia.
Experts speculate that Librarian Ghouls may be hacktivists. The group uses legitimate third-party software instead of developing its own malicious code—a characteristic trait of such collectives. According to another company, BI.ZONE, the Rare Werewolf group has been active since at least 2019.
Back in December 2024, analysts from Kaspersky Lab reported on a new scam on YouTube.