-
Rare Werewolf, a cybercriminal group, is conducting a sophisticated phishing campaign targeting Russian and CIS companies to mine cryptocurrency and steal sensitive data.
-
The group exploits phishing emails with malicious attachments to gain remote access, focusing primarily on industrial enterprises and engineering schools.
-
According to Kaspersky, the attackers use stealth tactics such as scheduled mining operations during off-hours to avoid detection.
Rare Werewolf’s targeted phishing attacks on Russian firms deploy Monero miners and steal credentials, highlighting rising cyber threats in the CIS region.
Rare Werewolf’s Targeted Phishing Campaign Exploits Russian and CIS Organizations
Cybersecurity researchers at Kaspersky have identified an ongoing advanced persistent threat (APT) campaign led by the group known as Rare Werewolf, also referred to as “Librarian Ghouls” or “Rezet.” This campaign specifically targets companies within Russia and the Commonwealth of Independent States (CIS), leveraging phishing emails disguised as legitimate correspondence to infiltrate corporate networks. The attackers send emails containing malicious attachments with Russian-language filenames and decoy documents, increasing the likelihood of victim engagement. Once executed, these attachments enable the group to remotely control compromised devices, exfiltrate sensitive information such as login credentials and cryptocurrency wallet data, and deploy Monero (XMR) mining software to exploit system resources.
Stealth Techniques and Targeted Industries Highlight Sophistication
The Rare Werewolf group employs a calculated approach to maintain persistence and evade detection. Notably, the malware schedules mining operations to activate between 1 AM and 5 AM, minimizing the risk of discovery by system administrators during regular business hours. Kaspersky’s analysis reveals that the campaign predominantly targets industrial enterprises and engineering educational institutions, suggesting a strategic focus on sectors with valuable intellectual property and operational data. The phishing emails are crafted in Russian, reinforcing the group’s intent to focus on Russian-speaking victims. This targeted methodology underscores the increasing complexity and precision of cyberattacks within the region.
Phishing Infrastructure and Credential Theft Tactics
Kaspersky’s investigation uncovered several domains potentially linked to the Rare Werewolf campaign, including users-mail[.]ru and deauthorization[.]online. These domains hosted phishing pages designed to mimic popular Russian email services such as Mail.ru, employing PHP scripts to capture login credentials. Although confidence in the direct association of these domains with the group is moderate, their active status during the campaign indicates a robust phishing infrastructure supporting credential theft efforts. This multi-layered attack strategy enables the group to gain initial access through phishing and then expand control within targeted networks.
Implications for Cybersecurity in the CIS Region
The persistence of the Rare Werewolf campaign, with attacks observed as recently as May, highlights the evolving threat landscape faced by organizations in Russia and the CIS. The combination of credential theft and covert cryptocurrency mining not only compromises sensitive data but also degrades system performance and increases operational costs. Security experts emphasize the importance of employee awareness training, robust email filtering solutions, and continuous network monitoring to mitigate such threats. Organizations are urged to implement multi-factor authentication and regularly update security protocols to defend against sophisticated phishing schemes.
Conclusion
The Rare Werewolf APT campaign exemplifies the growing sophistication of cybercriminal operations targeting Russian and CIS enterprises. By combining targeted phishing, credential theft, and stealthy crypto mining, the group poses a significant risk to industrial and educational sectors. Vigilance and proactive cybersecurity measures remain essential to counter these persistent threats and protect critical infrastructure from ongoing exploitation.
