A cyber-espionage group known as Rare Werewolf, also referred to as “Librarian Ghouls” or “Rezet”, has been conducting a targeted and persistent phishing campaign across Russia and CIS-based organizations, according to new research released by Kaspersky. The group’s operation, active through May 2025, focuses on infiltrating corporate and industrial networks to steal sensitive data and hijack systems for Monero (XMR) crypto mining.
Phishing With a Purpose
Rare Werewolf deploys highly targeted phishing emails that masquerade as legitimate communications, tricking recipients into opening attachments laced with malware. Once a user opens the file, attackers gain remote access to the system, allowing them to exfiltrate sensitive data such as login credentials and crypto wallet information.
Following this initial breach, the malware installs Monero mining software, exploiting the machine’s processing power to generate illicit profits. To remain undetected, the compromised devices are scheduled to wake at 1:00 AM and shut down at 5:00 AM, minimizing chances of discovery during normal business hours.
Targets: Industry and Education
Kaspersky notes that the group is primarily targeting industrial enterprises and engineering schools, with all phishing content written in Russian. This includes email text, filenames, and embedded decoy documents suggesting the attackers are either Russian-speaking or have close familiarity with the region’s operational environment.
“These campaigns are clearly designed for Russian-speaking victims, with decoy content tailored to the local context,” Kaspersky researchers wrote.
Phishing Infrastructure and Web Domains
In addition to the phishing emails, Kaspersky uncovered several web domains possibly tied to Rare Werewolf’s infrastructure. Among them were users-mail[.]ru and deauthorization[.]online, both of which hosted fake login pages for Mail.ru, a popular Russian email platform. These sites were built using PHP scripts that capture and relay login data to the attackers.
While some connections between the domains and the Rare Werewolf campaign remain low-confidence, the timing and tactics strongly suggest coordination with the broader APT operation.
Still Active and Evolving
As of the publication of Kaspersky’s report, Rare Werewolf’s operations are ongoing, with new attacks observed as recently as last month. The group’s focus on covert operations, coupled with crypto mining and credential harvesting, highlights a broader trend of blended threats where traditional cyber-espionage intersects with financially motivated attacks.
Final Thoughts
The Rare Werewolf campaign underscores the growing sophistication of threat actors who now blend data theft with crypto exploitation. With Monero’s privacy features and the increasing use of phishing as an attack vector, businesses particularly in industrial and educational sectors must remain vigilant. Security teams are urged to monitor network activity during off-hours, reinforce email hygiene protocols, and ensure that endpoints are protected against unauthorized remote access and crypto-mining software.
