The Librarian Ghouls hacker group has compromised hundreds of Russian devices and used them to mine crypto in an apparent case of cryptojacking, cybersecurity firm Kaspersky says.

The hacker group, which is also known as Rare Werewolf, gains access to systems through malware-ridden phishing emails disguised as messages from legitimate organizations that appear to be official documents or payment orders, Kaspersky said in a report on Monday.

Hackers scope out device info before mining

After a computer is infected with the malware, the hackers establish a remote connection and disable security systems such as Windows Defender.

The infected device is also programmed to turn on at 1 am and shut down at 5 am, with the hackers using the time frame to further establish unauthorized remote access and steal login credentials.

“It is our assessment that the attackers use this technique to cover their tracks so that the user remains unaware that their device has been hijacked,” Kaspersky said.

They then steal login credentials and also collect information about the device’s available RAM, CPU cores and GPUs to optimally configure the crypto miner before deploying it.

While the miner is running, the hackers maintain a connection to the mining pool, sending a request every 60 seconds, according to Kaspersky.

“We observe that the attackers are continuously refining their tactics, encompassing not only data exfiltration but also the deployment of remote access tools and the use of phishing sites for email account compromise,” the firm said.

Cryptojacking campaign ongoing since 2024

So far, the hacking campaign, which started in December and is ongoing, has affected hundreds of Russian users, particularly industrial enterprises and engineering schools, with additional victims reported in Belarus and Kazakhstan.

The origin of the group hasn’t been established; however, Kaspersky said the phishing emails are “composed in Russian and include archives with Russian filenames, along with Russian-language decoy documents.”

“This suggests that the primary targets of this campaign are likely based in Russia or speak Russian,” Kaspersky said.

Librarian Ghouls could be hacktivists

Kaspersky speculates that the Librarian Ghouls might be hacktivists, who use hacking as a form of civil disobedience to promote a political agenda, due to the use of techniques commonly associated with similar groups, such as reliance on legitimate, third-party utilities.

“A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,” Kaspersky said.

It’s unknown how long the group has been active, but another Russian cybersecurity firm, BI. ZONE said in a Nov. 23 report that Rare Werewolf has been around since at least 2019.