On Monday, cybersecurity firm Kaspersky reported that the hacker group Librarian Ghouls has taken over hundreds of computers in Russia to mine cryptocurrency.
The attackers use phishing emails with malicious attachments to infect systems. They then steal credentials and run a crypto miner called XMRig. The campaign began in December 2024 and is still active.
Attack Method
Librarian Ghouls, also known as Rare Werewolf or Rezet, sends carefully crafted emails to workers at industrial firms and engineering schools. These messages appear to be official documents or payment orders. Each email carries a password-protected archive.
When a user opens the archive, they find an executable file disguised as a legitimate installer. Once run, that file sets the stage for deeper intrusion.
Technical Details
Inside the fake installer, researchers found three key components. A cabinet archive holds the malware. A configuration file instructs the software on how to behave. A third file serves no real purpose.
The configuration file uses Windows registry commands to install a real tool called 4t Tray Minimizer. This program hides active windows in the system tray.
That helps the hackers cover their tracks. After hiding in plain sight, the attackers establish remote access. They harvest login details. Finally, they deploy the XMRig miner to generate Monero coins.
The group avoids building its own malicious code. Instead, it repurposes trusted third-party utilities and simple scripts. PowerShell files and command scripts join the attack chain. This strategy makes detection harder. It also cuts the time needed to create new malware.
Targets and Scope
Kaspersky’s report shows that the campaign has hit hundreds of devices in Russia. Victims also include organisations in Belarus and Kazakhstan.
The emails are written in Russian and carry Russian file names. The decoy documents use that language too. This pattern suggests that Russian speakers are the main targets.
The hacker group kept up a steady pace through 2024. A brief slowdown in December gave way to a new surge of attacks soon after. Security vendors outside Kaspersky are also tracking the group’s moves and warning clients about its tools.
What It Means?
The rise of this campaign highlights a shift in cybercrime. Instead of stealing data or holding systems hostage, the attackers are quietly mining coins.
This stealthy approach can go on for months. It drains computing power and inflates energy bills. It also spreads risk across many victims rather than focusing on a single high-value target.
Organisations must stay alert. They should double-check unexpected emails. They should never enable macros or run unknown installers. Keeping software up to date and using email filters can block many threats.
In the end, Librarian Ghouls shows how simple tricks can still cause big harm. Even well-known tools can mask dangerous actions. Only careful habits and strong defences can keep these silent miners at bay.
Also Read: US Officials Seize $7.7M In Crypto From North Korean Hackers Posing As IT Freelancers