11-6-2025 – A sophisticated cybercriminal syndicate, dubbed Rare Werewolf, also known as Librarian Ghouls and Rezet, has unleashed a meticulous phishing offensive targeting businesses across Russia and the Commonwealth of Independent States (CIS). According to cybersecurity experts at Kaspersky, this advanced persistent threat (APT) group has sustained its operations through May 2025, exploiting compromised systems to mine Monero cryptocurrency and plunder sensitive information.
The group’s modus operandi involves crafting deceptive phishing emails that masquerade as legitimate correspondence from trusted entities. These emails, often written in Russian and accompanied by Russian-language attachments, lure victims into opening malicious files. Once activated, these files grant attackers remote access to the victim’s device, enabling the theft of critical data, including login credentials and cryptocurrency wallet details. To further their illicit gains, the attackers deploy Monero mining software, harnessing the infected system’s processing power. In a bid to evade detection, the group schedules compromised devices to activate at 1 AM and power down by 5 AM, cloaking their activities in the early hours.
Kaspersky’s findings highlight that industrial enterprises and engineering institutions are prime targets, with the group’s Russian-language phishing materials suggesting a focus on Russian-speaking organisations. The investigation also identified several domains potentially linked to the campaign, including users-mail[.]ru and deauthorization[.]online, which host phishing pages designed to siphon credentials for Mail.ru, a widely used Russian email service. These pages, built with PHP scripts, underscore the group’s technical prowess. Although Kaspersky expressed cautious confidence in connecting these domains to Librarian Ghouls, the campaign’s persistence was evident, with attacks continuing as recently as last month, posing an ongoing threat to the region’s digital infrastructure.
