Rare Werewolf APT Hits Russia With Crypto Mining, Data Theft Attacks

Rare Werewolf and DarkGaboon Hackers Exploit Legitimate Tools in Targeted Cyberattacks on Russia and CIS Organizations

  • An advanced cyber group called Rare Werewolf has carried out attacks in Russia and the Commonwealth of Independent States (CIS), mainly targeting industrial and educational sectors.
  • The attackers use legitimate, third-party tools and PowerShell scripts instead of custom-made Malware, making detection harder.
  • Phishing emails deliver malware hidden inside password-protected archives, which deploy cryptocurrency mining software and steal user data.
  • Hundreds of Russian users, including those in Belarus and Kazakhstan, were affected. The attackers focused on stealing credentials and enabling remote access.
  • A separate group, DarkGaboon, has used LockBit 3.0 Ransomware in financially motivated attacks targeting Russian organizations since 2023.

A cyber group known as Rare Werewolf has been linked to a series of cyberattacks targeting Russia and other CIS countries. The attackers used phishing emails to deliver malicious files, aiming to gain remote access, steal credentials, and install cryptocurrency mining software called XMRig. These attacks have affected several hundred users, including those at industrial companies and technical schools in Russia, Belarus, and Kazakhstan.

- Advertisement -

According to researchers at Kaspersky, the group avoids traditional malware, instead using command files and PowerShell scripts combined with legitimate software to perform their attacks. "A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries," Kaspersky stated. Attackers sent phishing emails with password-protected archives containing executable files, often disguised as documents such as payment orders.

Once inside the victim’s system, the attackers installed software like 4t Tray Minimizer, which hides running apps in the system tray. They also deployed tools to disable antivirus software and send stolen data to attacker-controlled email accounts using the legitimate program Blat. The team used AnyDesk remote desktop software and scheduled scripts to maintain access during specific hours. "All of the malicious functionality still relies on the installer, command, and PowerShell scripts," said Kaspersky.

Rare Werewolf—also known as Librarian Ghouls and Rezet—has previously targeted organizations in Russia and Ukraine, with notable activity since 2019. Their strategy involves leveraging well-known utilities to make detection and attribution more difficult.

In a separate development, Positive Technologies reported that the financially motivated group DarkGaboon has been targeting Russian organizations since mid-2023. The group uses phishing emails carrying archive files or Windows screensaver files to activate LockBit 3.0 ransomware and other remote access trojans, such as XWorm and Revenge RAT. As noted by Positive Technologies‘ researcher Victor Kazakov, "DarkGaboon is not a client of the LockBit RaaS service and acts independently…" The group uses public versions of LockBit and threatens to leak stolen data online.

These activities highlight ongoing threats to organizations in Russia and surrounding regions, with attackers relying on common, legitimate software tools to evade detection and complicate attribution.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Record U.S. Money Supply Fails to Lift Crypto, Markets Slide

The U.S. M2 money supply reached a record $22.02 trillion, while cryptocurrency markets continued...

Pinnacle, Synovus Agree to $8.6B Merger, Form Southeast Banking Giant

Pinnacle Bank and Synovus Bank announced an $8.6 billion all-stock merger to form a...

Ether Faces Near-Term Volatility as Borrowing Costs Surge and Valuations Soar

Borrowing costs for wrapped Ether (wETH) have increased sharply, making leveraged strategies less attractive. Technical...

Tesla Stock Drops 8% After Earnings Miss, Musk Teases Vine Revival

Tesla shares dropped over 8% following the company’s latest earnings report and a new...

Elon Musk’s xAI Teams Up With Kalshi to Boost Prediction Markets

xAI and Kalshi are partnering to integrate chatbot Grok with Kalshi’s regulated prediction market.Grok...

Must Read

What Is the Dencun Upgrade for Ethereum?

The Dencun Upgrade for Ethereum is poised to revolutionize the blockchain landscape, offering improved scalability, efficiency, and groundbreaking features. Set to launch at the...