A hacker group known as the Librarian Ghouls, also referred to as Rare Werewolf or Rezet, has been orchestrating a covert cryptojacking campaign targeting hundreds of devices across Russia, according to a June 9, 2025, report by cybersecurity firm Kaspersky. The group is hijacking computers, primarily in industrial enterprises and engineering schools, to mine Monero cryptocurrency while simultaneously stealing sensitive data, including cryptocurrency wallet credentials and private keys. This dual-purpose attack, which began in December 2024 and remains active as of May 2025, highlights the growing sophistication of cryptocurrency-related cybercrime. Here’s a detailed look at the Librarian Ghouls’ tactics, targets, and the broader implications of their campaign.
How the Librarian Ghouls Operate
The Librarian Ghouls employ a stealthy approach, leveraging phishing emails disguised as legitimate communications from trusted organizations, such as invoices or payment orders, to infiltrate systems. These emails, often written in Russian with Russian-language filenames and decoy documents, contain password-protected archives with malicious files. Once a user extracts and executes these files, the malware initiates a complex infection chain, disabling security systems like Windows Defender and establishing remote access to the compromised device.
The hackers schedule infected devices to activate between 1 a.m. and 5 a.m. local time, a four-hour window that allows them to operate undetected. During this period, the malware uses legitimate third-party tools—such as AnyDesk for remote access, Mipko Personal Monitor for keystroke logging and screenshots, and WebBrowserPassView for password recovery—to steal login credentials, cryptocurrency wallet data (e.g., wallet.dat files, seed phrases, and private keys), and other sensitive information. The stolen data is compressed into password-protected archives and sent via SMTP to attacker-controlled email accounts.
Simultaneously, the group deploys XMRig, a widely used Monero mining software, optimized based on the device’s RAM, CPU, and GPU specifications to maximize mining efficiency. This covert operation consumes the victim’s computational resources and electricity, generating cryptocurrency for the hackers while remaining largely invisible to users. The reliance on legitimate tools, a tactic known as “living off the land” (LotL), makes detection challenging, as these tools are commonly used by system administrators and don’t trigger typical malware
Who Are the Targets?
The Librarian Ghouls primarily target Russian entities, with a focus on industrial enterprises, engineering schools, and research institutions in sectors like aerospace, defense, petrochemicals, and semiconductors. Victims have also been reported in Belarus and Kazakhstan, indicating a broader reach within the Commonwealth of Independent States (CIS). The use of Russian-language phishing emails and decoy documents suggests that the group’s primary victims are Russian speakers or based in Russia. Kaspersky speculates that the campaign’s focus on these regions may point to a political agenda, potentially aligning the group with hacktivist motives, though their exact origins remain unknown.
The group’s choice of targets—industrial and educational institutions—may reflect a strategic intent to exploit high-performance systems with significant computing power, ideal for cryptocurrency mining. Engineering schools, for instance, often have powerful computers for research and design, making them lucrative targets for cryptojacking.
Are the Librarian Ghouls Hacktivists?
Kaspersky and other cybersecurity experts, including Russian firm BI.ZONE, suggest that the Librarian Ghouls may be hacktivists, using hacking as a form of civil disobedience to advance a political agenda. This theory is based on their heavy reliance on legitimate third-party software, a hallmark of hacktivist groups, rather than custom-built malware. BI.ZONE notes that the group, active since at least 2019, has consistently targeted Russian entities, which could indicate a geopolitical motive. However, no definitive evidence links the group to a specific nation-state or cause, and their focus on financial gain through cryptojacking and data theft suggests a possible profit-driven motive alongside any ideological goals.
The group’s use of domains like users-mail[.]ru and deauthorization[.]online to host phishing pages targeting Russian email services, such as Mail.ru, further supports the idea of a targeted campaign against Russian infrastructure. These phishing pages, built with PHP scripts, are designed to steal login credentials, amplifying the group’s ability to expand their attacks.
The Broader Context of Cryptojacking
The Librarian Ghouls’ campaign is part of a growing wave of cryptocurrency-related cybercrime. Cryptojacking, where hackers use stolen computing resources to mine cryptocurrencies like Monero, has become increasingly common due to its low risk and high reward. Monero’s privacy features make it a favorite for illicit mining, as transactions are harder to trace compared to Bitcoin or Ethereum.
This campaign follows other high-profile crypto-related cyberattacks. For instance, a March 2025 report highlighted North Korea’s Lazarus Group laundering $300 million from a $1.5 billion Bybit heist, underscoring the scale of state-sponsored crypto crime. Similarly, recent data breaches at exchanges like Gemini and Binance have exposed sensitive user information, fueling secondary fraud and phishing schemes. The Librarian Ghouls’ ability to combine cryptojacking with data theft, including wallet credentials and private keys, makes their operation particularly damaging, as stolen assets can be used in fraud or sold on dark web marketplaces.
How to Protect Against Cryptojacking
Kaspersky and other cybersecurity experts recommend several measures to guard against campaigns like the Librarian Ghouls’:
Verify Email Attachments: Avoid opening unsolicited email attachments, especially password-protected archives, unless the source is verified.
Update Security Software: Ensure antivirus and endpoint protection systems are up to date to detect and block malicious scripts.
Monitor System Performance: Unusual CPU or GPU usage, especially during off-hours, may indicate cryptojacking activity.
Use Strong Passwords and 2FA: Protect accounts with unique passwords and two-factor authentication to limit the impact of stolen credentials.
–Network Monitoring: Organizations should monitor network traffic for connections to known mining pools or suspicious domains.