Cryptojacking Campaign Exploits Devices Across Russia, Belarus, and Kazakhstan
A cybercriminal group known as Librarian Ghouls — also referred to as Rare Werewolf — is actively targeting Russian-speaking users through a sophisticated cryptojacking campaign. The group has reportedly compromised hundreds of devices across Russia, Belarus, and Kazakhstan, hijacking them to mine cryptocurrency without user consent.
Infection Begins with Malware-Laced Phishing Emails
The campaign, ongoing since December 2024, starts with phishing emails disguised as legitimate communications, such as official documents or payment orders. Once opened, these emails deploy malware that gives the attackers remote access to the victim’s device.
The malware disables built-in protections like Windows Defender and steals login credentials.
The group uses remote access to gather system information, including RAM, CPU cores, and GPU specs, which allows them to optimize crypto mining operations on each device.
Silent Operation Between 1 AM and 5 AM
To avoid detection, infected systems are programmed to power on at 1 AM and shut down at 5 AM. During this time, the attackers:
- Establish unauthorized remote sessions
- Configure the miner based on system specs
- Send requests to the mining pool every 60 seconds
This time-controlled mining approach minimizes user suspicion while maximizing unauthorized profit.
Signs Point to Hacktivist Motives
The attackers rely heavily on legitimate third-party tools, avoiding custom-built malware. This is a hallmark of hacktivist groups, who often prefer covert techniques and open-source tools over bespoke code.
The phishing messages and decoy files are composed in Russian, suggesting Russian-speaking targets.
While the group’s exact origin remains unknown, cybersecurity analysts believe the Librarian Ghouls may be politically motivated, using cryptojacking as a form of digital protest or disruption.
Wider Implications for Industrial and Educational Institutions
Victims include industrial enterprises and engineering schools, signaling the group’s ability to breach both consumer and institutional systems. Cybersecurity experts warn that ongoing refinements in their methods suggest the group is evolving.
“This is not just about mining crypto — it’s a multi-layered campaign involving phishing, credential theft, and remote control,” analysts noted.
Conclusion
The Librarian Ghouls campaign underscores the growing threat of stealth crypto mining in geopolitically sensitive regions. With targeted, language-specific phishing tactics and advanced remote access methods, this threat demonstrates how cryptojacking is evolving into a broader tool for disruption in the digital age.