Russian Companies Targeted by Crypto Mining Cybercrime Campaign

A sophisticated cybercriminal operation has been targeting Russian companies, transforming their legitimate business computers into covert crypto mining operations while simultaneously stealing sensitive financial data. The Librarian Ghouls APT group, also known as Rare Werewolf and Rezet, has orchestrated this dual-purpose attack, weaponizing victims’ own hardware against them. The attack involves establishing unauthorized remote access to deploy Monero miners while harvesting cryptocurrency wallet credentials and private keys. The attackers have been active through May 2025, primarily targeting industrial enterprises and engineering schools across Russia and the Commonwealth of Independent States.

The operation begins with meticulously crafted phishing emails containing password-protected archives that masquerade as official documents from legitimate organizations. Once victims extract and execute these files, a complex infection chain starts operating. The malware installer deploys the legitimate 4t Tray Minimizer window manager to obscure malicious activities while establishing communication with servers to download additional payloads. The attackers have implemented an automated schedule that wakes compromised machines at 1 AM and shuts them down at 5 AM, creating a narrow four-hour window for unauthorized access while minimizing the likelihood of detection by unsuspecting users. During this window, the malware systematically searches for cryptocurrency-related files, targeting wallet.dat files, seed phrases, private keys, and any documents containing terms like “bitcoin,” “ethereum,” or “wallet” in multiple languages. The stolen data is then packaged into password-protected archives and transmitted via SMTP to attacker-controlled email accounts.

Following data exfiltration, the system installs XMRig cryptocurrency mining software, which is configured to connect to mining pools under the attackers’ control. This dual-purpose approach ensures continuous revenue generation long after the initial data theft, effectively turning each compromised machine into a persistent income source. The mining operation runs covertly in the background, utilizing the victim’s computational resources and electricity costs while generating Monero cryptocurrency for the threat actors.

The Librarian Ghouls campaign highlights the increasing sophistication and damaging nature of cryptocurrency-related cybercrime. Recent data breaches have exposed sensitive information from major exchanges, including Gemini and Binance, with dark web marketplaces actively trading user databases containing personal details, email addresses, and location data. These compromised datasets fuel secondary criminal activities, including fraud schemes, recovery scams, and targeted phishing campaigns that exploit victims’ existing relationships with legitimate cryptocurrency platforms. The North Korean connection to large-scale exchange breaches is particularly concerning, as these state-sponsored operations demonstrate the technical capability to infiltrate almost any system. A March report shows that the Lazarus Group has successfully laundered $300 million from its recent $1.5 billion Bybit heist. Experts estimate that 20% of the stolen funds have already “gone dark,” likely converted through sophisticated money laundering networks across multiple jurisdictions and cryptocurrency platforms. This convergence of constant threats underscores the maturity of an ecosystem under sustained assault from multiple vectors, requiring coordinated industry-wide responses to protect both individual users and institutional infrastructure.