Cybercriminals Target Russian Companies with Phishing Attacks
A cybercriminal group named Rare Werewolf is launching targeted phishing attacks on Russian and CIS-based companies.The group, also known as “Librarian Ghouls” or “rezet,” has been active since May. Thay aim to steal data and mine cryptocurrency.
Kaspersky’s research shows that the group uses deceptive emails to trick victims into opening malicious files. These emails look like they come from real organizations. Once opened, the attackers can access the device remotely. They steal sensitive data, like login details and crypto wallet info, and install Monero (XMR) miners.
To stay hidden, the attackers set the infected machines to wake up at 1 AM and shut down at 5 AM. This way, their activities go unnoticed. The group mainly targets industrial companies and engineering schools. The emails are in Russian, suggesting the victims are Russian speakers.
Kaspersky found domains linked to the campaign, like users-mail[.]ru and deauthorization[.]online. These domains host phishing pages that steal Mail.ru login credentials.
The Librarian Ghouls campaign is still active, with recent attacks observed. Companies should stay vigilant and educate employees about phishing threats.
