- Trending
- Comments
- Latest
Librarian Ghouls hackers, a group of shadowy hacker collectives, have been caught running a sophisticated cyberattack campaign that secretly turned Russian devices into cryptocurrency mining machines.
The group, also known as “Rare Werewolf,” used expertly disguised malware to hijack processing power, executing attacks so stealthy that victims remained completely unaware their systems were being exploited for profit.
The Librarian Ghouls hackers have been identified by Kaspersky as the shadowy collective behind a series of highly covert crypto mining operations targeting Russian devices.
Known alternatively as “Rare Werewolf” and “Rezet,” the group’s tactics and stealth execution style suggest a blend of cybercriminal sophistication and hacktivist intent.
According to Kaspersky’s Securelist, the Librarian Ghouls hacker group deploys malware that activates infected devices between 1 AM and 5 AM.
This unique time window allows the malware to operate while users are asleep and unlikely to detect unusual behavior.
Kaspersky noted that the hackers use scheduled tasks to launch Microsoft Edge’s legitimate executable—msedge.exe—during this period.
The program then connects to AnyDesk, giving hackers a four-hour remote access window before the computer is automatically shut down.
According to reports, the Librarian Ghouls hackers rely heavily on targeted phishing campaigns to gain entry. Victims typically receive password-protected archive files via email, often framed as official documents from real institutions.
The password is provided in the email body, giving the attack a credible, structured appearance.
When the victim opens the archive and runs the executable inside, the malware infects the device, starts reconnaissance operations, and later deploys crypto mining programs optimized for the user’s hardware configuration.
“The initial vector mimics classic espionage tradecraft—legitimate fronts, obscure time windows, and zero noise. It’s technically impressive,” said Sergey Lozhkin, senior security researcher at Kaspersky.
Kaspersky also suspects that the Librarian Ghouls hacker group may be hacktivist-affiliated due to their use of spoofed organization names—a technique often seen among ideologically driven cyber groups.
“The naming strategy and controlled window of operation reflect not just financial motivation, but also a desire to cause disruption with precision,” Kaspersky noted in its internal brief.
While the Librarian Ghouls hacker group appears focused on crypto mining, experts warn this could be a smokescreen.
“When actors go through this much trouble for relatively modest mining rewards, you start wondering if there’s a secondary agenda—like intelligence gathering or network mapping,” said Allan Liska, threat intelligence analyst at Recorded Future.
That the Librarian Ghouls hacker group is targeting Russian endpoints raises eyebrows. Given the country’s cybersecurity emphasis and tight control over local infrastructure, these attacks could signal an evolving cross-border cyber strategy.
“This could be internal dissent, foreign pressure, or just high-level opportunism,” added Liska.
As the Librarian Ghouls hacker group continues exploiting devices for crypto mining, Kaspersky recommends enterprises and individuals adopt the following measures:
•Disable wake timers on enterprise devices.
•Audit any remote access tools like AnyDesk.
•Block incoming archives from unknown email addresses.
•Implement endpoint detection tools with behavior-based alerts.
The rise of the Librarian Ghouls hacker group is a clear reminder that not all threats seek attention. In an era where most cyberattacks go loud with ransomware or data leaks, these operators are betting on silence, automation, and invisibility.
With legitimate tools, off-hour tactics, and a growing crypto market to exploit, the Librarian Ghouls hackers group may signal a broader trend of hybrid threats—combining hacktivism, profit, and stealth in a dangerous new model.
Copyright © 2025 - The Bit Gazette.
