Russia was covered by a new wave of hidden mining

The Librarian Ghouls hacker group, also known as Rare Werewolf, hacked hundreds of Russian devices for hidden cryptocurrency mining. This was reported by specialists of Kaspersky Laboratory.

Infection algorithm

Attackers gained access to systems through phishing letters. They are disguised as messages from real organizations and look like official documents or payment orders.

After infection of the computer, hackers are a remote connection and disable protective systems, including Windows defender. Then they set up the device for automatic turning on at one in the morning and turning off at five in the morning. According to Kaspersky Laboratory, so attackers hide their actions from the user.

In this period of time, they also steal accounting data. Before starting the miner, attackers collect information about the system: the amount of RAM, the number of processor nuclei and video card data. This allows them to optimally configure the cryptocurrency production program. During the work of the miner, hackers maintain a connection with the pool, sending requests every minute.

When the attacks began

The campaign began in December 2024 and continues to this day. Hundreds of Russian users, mainly industrial enterprises and technical universities, suffered. Certain cases are recorded in Belarus and Kazakhstan.

The origin of the group is not established. Analysts drew attention to the fact that phishing letters are compiled in Russian, contain archives with Russian names and documents-Primanka. This indicates that the goal of the campaign is probably Russian -speaking users or residents of Russia.

Experts suggest that Librarian Ghouls can be the so -called hactivists. The group uses legal third -party software instead of developing its own harmful code – a characteristic feature of such associations. According to another company, Bi.zone, the Rare Werewolf group has been active since 2019.

Be in the know! Subscribe to Telegram.