Rising Threat: Hacker Group Targets Russian Devices for Covert Crypto Mining

The hacker group known as Librarian Ghouls, also referred to as Rare Werewolf, has infiltrated hundreds of Russian devices for covert cryptocurrency mining. This information was reported by experts from Kaspersky Lab.

The attackers gained access through phishing emails disguised as communications from legitimate organizations, presenting themselves as official documents or payment orders.

Once a computer is infected with the malware, the hackers establish remote access and disable security systems, including Windows Defender. They configure the device to turn on at 1 AM and turn off at 5 AM, effectively hiding their activities from the user, according to Kaspersky Lab’s assessment.

During this time frame, they also steal login credentials. Before activating the miner, the intruders gather system information such as RAM size, CPU core count, and graphics card data. This allows them to optimally configure the cryptocurrency mining software. While the miner operates, the hackers maintain contact with the pool, sending requests every minute.

The campaign began in December 2024 and is still ongoing. Hundreds of Russian users have been affected, predominantly industrial enterprises and technical universities, with isolated cases reported in Belarus and Kazakhstan.

The origin of the group remains unknown. Analysts noted that the phishing emails are written in Russian and contain archives with Russian filenames and bait documents. This suggests that the campaign is likely targeting Russian-speaking users or residents of Russia.

Experts speculate that the Librarian Ghouls might be a group of so-called hacktivists. They utilize legitimate third-party software instead of developing their malicious code, a common characteristic of such groups. According to another company, BI.ZONE, the Rare Werewolf group has been active since at least 2019.

Additionally, it is worth mentioning that in December 2024, Kaspersky Lab analysts reported on a new scam on YouTube.