Kaspersky, a cyber security company, announced that hundreds of Russia -based devices were secretly used for crypto money mining and that there was a hacker group called “Libraryian Ghouls” behind the attack. The group, also known as “Rare Werewolf , infiltrates user systems through Phishing attacks and carries out Cryptojacking.

According to the report, attacks are especially targeting industrial organizations and engineering schools. The attack has been active since December 2024 and is still in progress.

📧 Malm software infected with fake documents

According to Kaspersky, the attacks begin with Russian e-mails. These e-mails are usually disguised as invoice notifications, payment orders or official documents and sent to the victims. The annexes contain malware.

The malicious software, which is transmitted to the victim’s device, is remotely connected to the system and disables security systems such as Windows Defender. Then the hackers analyze the processor, RAM and graphics card features in the system and apply the most appropriate configuration for crypto mining.

🌙 Night Working Silent Mining: 01.00 - 05.00

In cases examined, it was found that the malware automatically opened the devices at 01:00 and closed at 05:00.

The device in this time range:

Working outside the user’s information

Sends a connection to the mining pool every 60 seconds

It produces crypto currency using the resources of the device

He also plays session information and e-mail accounts at the same time

Kaspersky says that this method was used to hide the traces of the attackers, and that users do not realize that their devices were seized.

🌍 attacks are not limited to Russia

According to the Kaspersky report, although Russia is the primary target of the attacks, similar cases were found in countries such as Belarus and Kazakhstan. The fact that e-mails have been written in Russian, the archives carry Russian file names and the local binding of the feed documents show that attacks are targeted especially Russian-speaking users.

👁️‍🗨️ Is a hactivist or a professional actor?

Kaspersky says that there is no clear information about the motivation of this group, but that the tools they use point to similar “hacktivist” groups. Especially:

Instead of producing their own malicious software, they prefer legal 3rd party software

Work with the same structure for a long time

Targets that indicate political/ideological motivation

These data brings the group closer to the category of political hacking. However, the motivation of financial gain (mining) cannot be ignored.

📌 Summary: The new face of crypto mining cyber threat

Libraryan Ghouls Hacker Group has seized hundreds of devices since 2024 and has been working as crypto mining

The attacks are especially aimed at industrial and educational institutions in Russia

The user is used in crypto production at night without realizing it.

All information and session data obtained are taken into the hands of cyber criminals

Although the group is thought to be a hacktivist, its identity is still not clear