Ddos 
A stealthy Advanced Persistent Threat (APT) group tracked as Librarian Ghouls—also known by aliases Rare Werewolf and Rezet—has resurfaced with an extensive cyber-espionage and cryptojacking campaign, according to a newly published Kaspersky Labs report. The group has been actively targeting entities across Russia and the Commonwealth of Independent States (CIS) throughout late 2024 and into May 2025.
“A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,” Kaspersky analysts noted.
The campaign kicks off with highly targeted phishing emails impersonating legitimate organizations. These messages deliver password-protected ZIP archives, luring victims into executing what appears to be benign payment order documents. Once launched, a self-extracting installer, crafted using Smart Install Maker, deploys a multi-stage infection chain.
At the main of the infection lies the 4t Tray Minimizer, a legitimate utility covertly installed to obscure malicious processes from users by minimizing them to the system tray.
Librarian Ghouls’ arsenal is composed almost entirely of repurposed legitimate utilities, including:
- AnyDesk for remote access
- Blat for SMTP-based data exfiltration
- Defender Control to disable Windows Defender
- curl.exe for file retrieval
- WinRAR (driver.exe) for silent archiving
- WebBrowserPassView, Mipko Personal Monitor, and ngrok for monitoring and credential theft
“The attackers use blat.exe to send the victim’s data and AnyDesk configuration files to the attackers via SMTP,” the report reveals.
The group ensures persistence and control through use of PowerShell scripts and scheduled tasks. A script named wol.ps1 creates a task that launches Microsoft Edge every morning at 1:00 AM, effectively waking the system for four hours of attacker access before a shutdown is triggered at 5:00 AM.
This “wake-and-sleep” cycle is orchestrated using a scheduled task labeled ShutdownAt5AM, which Kaspersky believes is intended “to cover their tracks so that the user remains unaware that their device has been hijacked.”
Once operational control is established, the attackers collect a wide range of sensitive data, including:
- Cryptocurrency wallet credentials
- Seed phrases
- Windows registry hives (HKLM\SAM and HKLM\SYSTEM)
- This data is compressed into RAR archives and exfiltrated via email.
The final payload is a stealthy XMRig-based cryptominer, installed using a file from bmapps[.]org. A JSON configuration file dictates the mining pool and attacker ID, while a bmcontrol.exe component manages mining activity and evades detection.
“Before launching the XMRig miner, the worker process collects available CPU cores, RAM, and GPU” info to optimize mining efficiency, the report explains.
The campaign’s infrastructure is centralized around two command-and-control (C2) servers—downdown[.]ru and dragonfires[.]ru—both resolving to the IP address 185.125.51[.]5. Notably, directory listing was enabled on several malicious servers, providing rare insight into attacker operations.
Kaspersky also linked several active phishing domains such as users-mail[.]ru and deauthorization[.]online, hosting fake Mail.ru login pages to harvest credentials.
The threat campaign has impacted hundreds of victims, with a strong focus on industrial enterprises and engineering institutions in Russia, Belarus, and Kazakhstan. Given the use of Russian-language lures and filenames, analysts assess that the group’s primary targets are Russian-speaking.
Although the tactics suggest potential hacktivist leanings, the group’s systematic, persistent, and financially motivated behavior points to a more sophisticated and well-funded operation.
At the time of publication, the Librarian Ghouls APT remains active, and their methods continue to evolve. Their reliance on legitimate tools adds an extra layer of stealth, making detection particularly difficult.
“All of the malicious functionality still relies on installer, command, and PowerShell scripts… the attackers are continuously refining their tactics,” Kaspersky concluded.
Organizations—especially in the CIS region—are urged to harden their defenses against phishing, monitor scheduled tasks for anomalies, and inspect legitimate utilities for abuse patterns.
Donate