Librarian Ghouls hacker group targeting Russians to mine crypto

2025-06-11 15:03:46 Primitive Reading

The Librarian Ghouls hacker group has compromised hundreds of Russian devices and used them to mine crypto in an apparent case of cryptojacking, cybersecurity firm Kaspersky says.

The hacker group, which is also known as Rare Werewolf, gains access to systems through malware-ridden phishing emails disguised as messages from legitimate organizations that appear to be official documents or payment orders, Kaspersky said in a report on Monday.

Bad actors can gain access to devices to steal resources such as computing power and mine crypto. Source: Cointelegraph

Hackers scope out device info before mining

After a computer is infected with the malware, the hackers establish a remote connection and disable security systems such as Windows Defender.

The infected device is also programmed to turn on at 1 am and shut down at 5 am, with the hackers using the time frame to further establish unauthorized remote access and steal login credentials.

“It is our assessment that the attackers use this technique to cover their tracks so that the user remains unaware that their device has been hijacked,” Kaspersky said.

They then steal login credentials and also collect information about the device’s available RAM, CPU cores and GPUs to optimally configure the crypto miner before deploying it.

While the miner is running, the hackers maintain a connection to the mining pool, sending a request every 60 seconds, according to Kaspersky.

“We observe that the attackers are continuously refining their tactics, encompassing not only data exfiltration but also the deployment of remote access tools and the use of phishing sites for email account compromise,” the firm said.

Cryptojacking campaign ongoing since 2024

So far, the hacking campaign, which started in December and is ongoing, has affected hundreds of Russian users, particularly industrial enterprises and engineering schools, with additional victims reported in Belarus and Kazakhstan.

The origin of the group hasn’t been established; however, Kaspersky said the phishing emails are “composed in Russian and include archives with Russian filenames, along with Russian-language decoy documents.”

“This suggests that the primary targets of this campaign are likely based in Russia or speak Russian,” Kaspersky said.

Disclaimer: This specification is preliminary and is subject to change at any time without notice. Amazon Finance assumes no responsibility for any errors contained herein.