Rare Werewolf, also referred to as Librarian Ghouls and formerly Rare Wolf, is a threat actor observed targeting industrial, engineering, aerospace, aviation, and other Russian entities, with activity reported across Russia, Belarus, and Kazakhstan. The actor has been linked to phishing-led intrusions using invoice-themed lures and spoofed domains impersonating legitimate Russian aerospace-related organizations. In the described campaigns, Rare Werewolf relied heavily on legitimate third-party software, living-off-the-land tactics, and off-the-shelf tools rather than obvious custom malware. Observed tradecraft includes delivery via password-protected archives, use of a decoy PDF, staged download of additional payloads, deployment of a portable AnyDesk instance for unattended remote access with a preset password, persistence through a scheduled task disguised as an update process, hiding remote-access activity with Tray Minimizer, exfiltration of AnyDesk configuration data and related files through a command-line SMTP mailer, and deletion of artifacts to reduce forensic visibility. Reporting also notes that related campaigns attributed to the actor have deployed mining tools after persistence was established, although mining was not observed in the specific sample described.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
28 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
35 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Espionage-oriented phishing campaign using invoice lures to deploy and configure AnyDesk for unattended remote access, establish scheduled-task persistence, exfiltrate configuration data, and delete artifacts to maintain long-term covert access.
Uses legitimate remote access software during intrusions, specifically AnyDesk.
Targets Russian and CIS entities; emphasizes living-off-the-land/legitimate third-party tools over custom malware development.
Rare Werewolf uses legitimate tools and LotL tactics, abstaining from bespoke malware, to evade detection while targeting Russian entities.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.