A sophisticated cybercriminal operation targeting Russian companies has transformed legitimate business computers into covert crypto mining operations while also stealing sensitive financial data.
According to research by Kaspersky, the Librarian Ghouls APT group, also known as Rare Werewolf and Rezet, has orchestrated an ingenious dual-purpose attack that weaponizes victims’ own hardware against them.
The attack establishes unauthorized remote access to deploy Monero miners while harvesting cryptocurrency wallet credentials and private keys.
The attackers have maintained relentless activity through May 2025, primarily targeting industrial enterprises and engineering schools across Russia and the Commonwealth of Independent States.
How Hackers Steal and Mine Crypto on Russian Devices
The Librarian Ghouls’ operation begins with meticulously crafted phishing emails containing password-protected archives masquerading as official documents from legitimate organizations.
PDF document imitating a payment order Source: KasperskyA complex infection chain starts operating once victims extract and execute these files. The malware installer deploys the legitimate 4t Tray Minimizer window manager to obscure malicious activities while establishing communication with servers to download additional payloads.
Complicating the attack, the attackers implemented an automated schedule that wakes compromised machines at 1 AM and shuts them down at 5 AM.
This creates a narrow four-hour window for unauthorized access while minimizing the likelihood of detection by unsuspecting users.
During this window, the malware systematically searches for cryptocurrency-related files, targeting wallet.dat files, seed phrases, private keys, and any documents containing terms like “bitcoin,” “ethereum,” or “wallet” in multiple languages.
The stolen data is then packaged into password-protected archives and transmitted via SMTP to attacker-controlled email accounts.
Source: KasperskyFollowing data exfiltration, the system installs XMRig cryptocurrency mining software, which is configured to connect to mining pools under the attackers’ control.
This dual-purpose approach ensures continuous revenue generation long after the initial data theft, effectively turning each compromised machine into a persistent income source.
The mining operation runs covertly in the background, utilizing the victim’s computational resources and electricity costs while generating Monero cryptocurrency for the threat actors.
Global Implications and Escalating Threats Towards Crypto
The Librarian Ghouls campaign emerges against increasingly sophisticated and damaging cryptocurrency-related cybercrime.
Recent data breaches have exposed sensitive information from major exchanges, including Gemini and Binance, with dark web marketplaces actively trading user databases containing personal details, email addresses, and location data.
These compromised datasets fuel secondary criminal activities, including fraud schemes, recovery scams, and targeted phishing campaigns that exploit victims’ existing relationships with legitimate cryptocurrency platforms.
More notably, the North Korean connection to large-scale exchange breaches is a particularly concerning development, as these state-sponsored operations show technical capability to infiltrate almost any system.
A March Cryptonews report shows that the Lazarus Group has successfully laundered $300 million from its recent $1.5 billion Bybit heist.
In fact, experts estimate that 20% of the stolen funds have already “gone dark,” likely converted through sophisticated money laundering networks across multiple jurisdictions and cryptocurrency platforms.
This convergence of all these constant threats is showing the maturity of an ecosystem under sustained assault from multiple vectors, requiring coordinated industry-wide responses to protect both individual users and institutional infrastructure, as demonstrated by Bybit in its last attack.
The post Hackers Turn Russian Devices Into Crypto Mining Machines While Stealing Private Keys appeared first on Cryptonews.
