The cybercriminal group known as Rare Werewolf, also called Librarian Ghouls and Rezet, has been conducting a targeted hacking campaign against Russian and Commonwealth of Independent States (CIS) companies. Using phishing emails disguised as legitimate communications, the attackers trick victims into running malicious attachments that install malware.
This malware establishes unauthorized remote access, allowing hackers to steal sensitive financial data, including cryptocurrency wallet credentials, private keys, and seed phrases. Additionally, the attackers covertly deploy XMRig cryptocurrency mining software to utilize victims' computing power for mining Monero (XMR).
To evade detection, the malware activates only during a narrow window from 1 AM to 5 AM. The campaign primarily targets industrial enterprises and engineering schools, largely within Russian-speaking regions. Kaspersky security researchers uncovered related phishing domains and noted the attackers’ continuous activity through May 2025.
This sophisticated dual-purpose attack reflects an evolving threat landscape where criminal groups monetize compromised systems both by data theft and long-term illicit cryptocurrency mining. The operation adds to ongoing risks to the security of crypto users’ assets.