‘Librarian Ghouls’ APT Group Targets Organizations

The Advanced Persistent Threat (APT) group known as “Librarian Ghouls,” also tracked as “Rare Werewolf” and “Rezet,” has been actively targeting organizations across Russia and the Commonwealth of Independent States (CIS) with highly sophisticated malware deployment campaigns.

Active through May 2025, this group has demonstrated a consistent focus on Russian companies, employing targeted phishing emails as their primary infection vector.

These emails, often disguised as legitimate communications from trusted entities, contain password-protected archives with malicious executables.

– Advertisement –

Sophisticated Phishing and Malware Tactics Unveiled

Once victims unlock and execute these files, a complex infection chain begins, leveraging legitimate third-party software to mask their activities and hinder detection.

According to Secure List Report, this approach not only complicates attribution but also allows attackers to deploy remote access tools, steal sensitive credentials, and install crypto-mining malware like XMRig on compromised systems.

Delving deeper into their technical tactics, Librarian Ghouls initiate infections through self-extracting installers crafted with tools like Smart Install Maker for Windows.

These installers deploy seemingly innocuous software such as 4t Tray Minimizer to minimize visible activity on the victim’s system, while simultaneously extracting malicious components to directories like C:Intel.

From here, scripts like rezet.cmd connect to command-and-control (C2) servers, such as downdown[.]ru, to download additional payloads disguised as JPG files but renamed to executables like AnyDesk for remote access, Blat for SMTP-based data exfiltration, and Defender Control to disable Windows Defender.

Exploiting Legitimate Tools for Malicious Intent

Subsequent batch files, such as bat.bat, orchestrate a series of malicious actions, including setting up unattended access with AnyDesk, disabling security measures, and scheduling tasks to wake or shut down systems at specific times to evade user suspicion.

PowerShell scripts further automate daily activations of Microsoft Edge to ensure system availability for remote exploitation.

The attackers’ use of customized legitimate tools, including a modified WinRAR 3.80 (driver.exe) for data compression and utilities like WebBrowserPassView for credential theft, underscores their strategy of blending malicious intent with trusted software.

Their deployment of phishing domains like users-mail[.]ru to harvest email credentials and the installation of miners via configurations fetched from bmapps[.]org highlight the multifaceted nature of their operations, targeting industrial enterprises and educational institutions with Russian-language decoys to maximize impact in the region.

Organizations are urged to remain vigilant, update security protocols, and monitor for these indicators to mitigate the risks posed by this persistent and evolving threat actor.

Indicators of Compromise (IoC)

Below is a curated list of IoCs associated with the Librarian Ghouls campaign for cybersecurity teams to monitor and defend against potential threats:

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.