Librarian Ghouls

Librarian Ghouls is an APT group also known as Rare Werewolf and Rezet. The group targets organizations and users in Russia, the CIS, and Central Asia, with reporting specifically noting Russia, Belarus, and Kazakhstan. Researchers observed hundreds of Russian victims, especially industrial enterprises and engineering schools, and reporting also cites theft of technical know-how such as 3D or physical models and CAD/CAM designs. The group primarily uses targeted spear-phishing emails containing password-protected archives with executable files, often disguised as messages from legitimate organizations with official-looking document attachments. Rather than relying mainly on custom malware, Librarian Ghouls heavily abuses legitimate third-party tools and scripts. Reported tools and utilities include AnyDesk for remote access, Blat for SMTP exfiltration, Defender Control to disable Windows Defender, 4t Tray Minimizer to hide activity, XMRig for cryptocurrency mining, and in some cases Mipko Personal Monitor, WebBrowserPassView, ngrok, and NirCmd. In the described intrusion chain, a self-extracting installer created with Smart Install Maker deploys components into directories such as C:\Intel and C:\Intel\AnyDesk, including a decoy PDF, curl.exe, and a malicious shortcut. A script then contacts attacker infrastructure including downdown[.]ru to download additional files, including a customized WinRAR console build used for archiving stolen data, Blat, AnyDesk, PowerShell scripts, and Defender Control. The attackers configure unattended AnyDesk access, with reporting noting a hardcoded password of QWERTY1234566 in one script, disable Windows Defender, and alter power settings. A notable operational pattern is the use of scheduled tasks to wake infected systems at 1:00 AM and shut them down at 5:00 AM, creating a four-hour window for unauthorized remote access. Reporting describes tasks named WakeUpAndLaunchEdge and ShutdownAt5AM. The group steals credentials, cryptocurrency wallet data, seed phrases, and registry dumps including HKLM\SAM and HKLM\SYSTEM, packages stolen data into password-protected archives, and exfiltrates it via SMTP using Blat. The attackers also install a miner package from bmapps[.]org that includes XMRig. Associated infrastructure and phishing activity mentioned in the reporting includes command-and-control domains downdown[.]ru and dragonfires[.]ru, both resolving to 185.125.51[.]5, as well as phishing domains users-mail[.]ru and deauthorization[.]online designed to harvest mail.ru credentials. Reporting states the group remained active through May 2025 and continuously updated its scripts and bundled utilities.