The hacker group known as Librarian Ghouls—also referred to as Rare Werewolf—has infiltrated hundreds of Russian devices to mine cryptocurrency, in what appears to be a large-scale cryptojacking operation, according to cybersecurity firm Kaspersky.
In a report released Monday, Kaspersky revealed that the group spreads malware via phishing emails that mimic official messages, such as documents or payment orders from seemingly legitimate organizations.
Hackers Gather Device Info Before Launching Crypto Mining
Once a device is infected, the hackers establish a remote connection and disable security features like Windows Defender. The compromised system is then programmed to automatically power on at 1 a.m. and shut down at 5 a.m.—a window the attackers exploit to deepen remote access and extract login credentials.
“Our assessment is that this tactic helps attackers remain undetected, preventing users from realizing their device has been hijacked,” Kaspersky explained.
During this period, the hackers also gather details about the device’s hardware—such as available RAM, CPU cores, and GPUs—in order to fine-tune the crypto miner for maximum efficiency before deploying it.
While the crypto miner is active, the hackers maintain a steady connection to the mining pool, sending requests every 60 seconds, according to Kaspersky.
“The attackers are constantly evolving their tactics,” the firm noted, “expanding beyond data theft to include the deployment of remote access tools and the use of phishing websites to compromise email accounts.”
Cryptojacking Campaign Active Since 2024
The cryptojacking campaign, which began in December 2024 and remains active, has compromised hundreds of devices in Russia—mainly targeting industrial enterprises and engineering universities. Additional victims have also been identified in Belarus and Kazakhstan.
While the group’s exact origin remains unknown, Kaspersky noted that the phishing emails are written in Russian and include archive files and decoy documents with Russian filenames.
“This indicates that the campaign is primarily aimed at Russian-speaking targets,” the firm concluded.
Librarian Ghouls May Be Operating as Hacktivists
Kaspersky suggests that the Librarian Ghouls may be hacktivists—individuals or groups who engage in hacking as a form of civil disobedience to advance political goals. This theory is supported by their use of tactics commonly linked to hacktivist groups, such as a preference for leveraging legitimate third-party software rather than creating custom malware.
“A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,” Kaspersky noted.
While the group’s exact origins remain unclear, Russian cybersecurity firm BI.ZONE reported in November 2023 that Rare Werewolf—the group’s alternate name—has been active since at least 2019.
