HQ/EMEAFind out how we can help your business
A hacker collective dubbed Rare Werewolf has been attacking numerous computers throughout Russia and its neighbouring countries to covertly mine cryptocurrency.
Reports revealed that these cybercriminals employ XMRig software, a legitimate mining tool, on their victims’ devices. This scheme has compromised hundreds of users in Russia, especially those in industrial sectors and engineering schools.
Moreover, there are a few monitored campaigns in Belarus and Kazakhstan.
Rare Werewolf starts hunting down targets through malicious phishing emails.
According to investigations, the Rare Werewolf attackers initiate their strategy by writing phishing emails containing password-protected archives with malicious executable files in Russian.
These emails are often designed to mimic communications from reputable organisations, appearing as official documents or payment requests.
After breaching a system, the hackers pilfer login credentials and install XMRig to mine cryptocurrency using the victim’s computing resources.
They have also developed a unique approach to maintaining access and evading detection: programming the compromised devices to power down at 5 a.m. daily.
Before the shutdown, a script activates Microsoft Edge at 1 a.m. to wake the device, allowing the attackers a four-hour window to establish remote access.
Furthermore, researchers report that the attackers gather data on available CPU cores and GPUs to optimise the cryptomining process and send this information back to their servers.
Previous investigations indicate that Rare Werewolf has been operational since 2019, preferring to use legitimate third-party software and tools instead of crafting their malicious applications. The group’s origins remain unidentified.
Experts suggest this ongoing campaign started in December 2024, with the attackers persistently enhancing their strategies. Besides focusing on cryptocurrency mining, the group has a history of attempting to steal sensitive documents and passwords.
They have also executed attacks that compromised Telegram accounts in past operations. Researchers observed that the group’s techniques, including self-extracting archives and legitimate tools, are similar to those often employed by hacktivist organisations.
Cybercriminals frequently exploit Xmrig and continuously innovate ways to deliver the installer to victims’ devices. In earlier instances involving Russian companies, hackers transmitted it through malicious versions of popular pirated games.
