Cybersecurity firm Kaspersky has warned of an ongoing cryptojacking campaign by the Librarian Ghouls (also known as Rare Werewolf) hacker group. According to Kaspersky, the group has compromised hundreds of Russian devices, primarily between December and the present, focusing industrial enterprises, engineering schools, and also affecting users in Belarus and Kazakhstan.

The attack vector involves malware-laced phishing emails that appear legitimate, often mimicking official documents or payment orders from known organizations. Once a device is infected (Monday’s report highlights techniques observed in January), remote access is established, Windows Defender is disabled, and the compromised computer is scheduled to power on at 1 AM and shut down around 5 AM. This specific timeframe allows threat actors to maintain persistent access and exfiltrate sensitive data.

Exploitation and Configuration Phase

After infiltration, attackers collect detailed hardware information, including CPU core counts, available RAM, and GPU details to configure the crypto-mining operation for optimal resource utilization before deployment.

During active mining, a persistent connection to a specified cryptocurrency mining pool is maintained, sending status update requests every 60 seconds.

Kaspersky noted the group’s sophisticated and evolving tactics, which now include refining phishing campaigns, deploying remote access tools stealthily, and specifically listed unauthorized accounts as legitimate for exfiltration.

Origin and Targets

The origin of the Librarian Ghouls group remains undetermined. However, the use of Russian language in phishing emails—including specific Russian filenames and decoys—suggests the primary targets are individuals or organizations within the Russian-speaking sphere, potentially including their military-industrial base.

An alternative analysis by the Russian cybersecurity firm BI. ZONE places the group’s operational history at least as far back as late 2019, operating under the Rare Werewolf moniker.

Operational Profile and Potential Motives

Kaspersky finds the Librarian Ghouls’ reliance on readily available third-party software and legitimate utilities rather than custom malicious binaries noteworthy.

Speaking to possible motives, some analysts speculate Librarian Ghouls could be hacktivists employing hacking as a form of civil disobedience to further a political agenda, a previously noted tactic by similarly named groups. Financial gain via cryptojacking remains a primary operational method, though non-financial, politically-motivated hacking cannot be entirely discounted given the persistent and targeted nature of the campaign.