Rare Werewolf APT Hits Russia With Crypto Mining, Data Theft Attacks

HomeNews* An advanced cyber group called Rare Werewolf has carried out attacks in Russia and the Commonwealth of Independent States (CIS), mainly targeting industrial and educational sectors.

• The attackers use legitimate, third-party tools and PowerShell scripts instead of custom-made Malware, making detection harder.
• Phishing emails deliver malware hidden inside password-protected archives, which deploy cryptocurrency mining software and steal user data.
• Hundreds of Russian users, including those in Belarus and Kazakhstan, were affected. The attackers focused on stealing credentials and enabling remote access.
• A separate group, DarkGaboon, has used LockBit 3.0 Ransomware in financially motivated attacks targeting Russian organizations since 2023. A cyber group known as Rare Werewolf has been linked to a series of cyberattacks targeting Russia and other CIS countries. The attackers used phishing emails to deliver malicious files, aiming to gain remote access, steal credentials, and install cryptocurrency mining software called XMRig. These attacks have affected several hundred users, including those at industrial companies and technical schools in Russia, Belarus, and Kazakhstan.

• Advertisement - According to researchers at Kaspersky, the group avoids traditional malware, instead using command files and PowerShell scripts combined with legitimate software to perform their attacks. "A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries," Kaspersky stated. Attackers sent phishing emails with password-protected archives containing executable files, often disguised as documents such as payment orders.

Once inside the victim’s system, the attackers installed software like 4t Tray Minimizer, which hides running apps in the system tray. They also deployed tools to disable antivirus software and send stolen data to attacker-controlled email accounts using the legitimate program Blat. The team used AnyDesk remote desktop software and scheduled scripts to maintain access during specific hours. "All of the malicious functionality still relies on the installer, command, and PowerShell scripts," said Kaspersky.

Rare Werewolf—also known as Librarian Ghouls and Rezet—has previously targeted organizations in Russia and Ukraine, with notable activity since 2019. Their strategy involves leveraging well-known utilities to make detection and attribution more difficult.

In a separate development, Positive Technologies reported that the financially motivated group DarkGaboon has been targeting Russian organizations since mid-2023. The group uses phishing emails carrying archive files or Windows screensaver files to activate LockBit 3.0 ransomware and other remote access trojans, such as XWorm and Revenge RAT. As noted by Positive Technologies‘ researcher Victor Kazakov, "DarkGaboon is not a client of the LockBit RaaS service and acts independently…" The group uses public versions of LockBit and threatens to leak stolen data online.

These activities highlight ongoing threats to organizations in Russia and surrounding regions, with attackers relying on common, legitimate software tools to evade detection and complicate attribution.

Previous Articles:

• Ant International, Deutsche Bank Partner to Explore Stablecoin Launch
• SocGen’s SG Forge Launches US Dollar Stablecoin on Ethereum, Solana
• Canary Capital Forms Delaware Trust For Potential Injective (INJ) ETF
• Women Lose $50K in Crypto Scams After Clicking PM Facebook Ads
• SEC Proposes ‘Innovation Exemption’ to Boost Onchain Crypto Products

• Advertisement -