A stealthy cyber campaign called Rare Werewolf is silently siphoning computing power, and sensitive data from hundreds of devices across Russia. First observed in December 2024, this ongoing operation is targeting industrial organizations and engineering schools, with victims also reported in Belarus and Kazakhstan.
Unlike the flashy ransomware attacks that dominate headlines, Rare Werewolf keeps a low profile. By blending social engineering, strategic automation, and off-the-shelf tools, it turns everyday systems into clandestine cryptocurrency miners. While also harvesting login credentials and hijacking popular messaging accounts.
Phishing: The First Bite
At the heart of the campaign is a classic but effective tactic: phishing. Victims receive Russian-language emails masquerading as official communications. They often appear to come from government or academic institutions. These emails contain password-protected archive files, typically ZIP or RAR, which conceal the malicious payload.
Once a target opens the archive and runs the included executable, the attacker gains a foothold. From there, the Rare Werewolf group installs XMRig, a legitimate open-source tool used for mining Monero (XMR), a privacy-focused cryptocurrency.
This approach allows the group to avoid writing or deploying custom malware, making their activities harder to detect and attribute.
Stealth by Schedule
What sets Rare Werewolf apart is its clever use of time-based automation. Once the miner is deployed, the infected machines are programmed to wake from sleep at 1 a.m., launch the Microsoft Edge browser, and reboot by 5 a.m.. This daily cycle ensures that the mining activity occurs during hours of minimal user interaction. Thus, effectively hiding performance slowdowns or system anomalies.
This scheduled stealth operation allows the malware to persist for long periods without raising alarms, draining electricity and computing resources under the radar.
More Than Mining: Credential Theft
Rare Werewolf isn’t just in it for the crypto. Security analysts from Kaspersky report that the group also exfiltrates sensitive data from infected machines, including:
- Login credentials (browser-saved passwords, system logins)
- Confidential documents
- Telegram session data and account access
This suggests that Rare Werewolf may be financially motivated but opportunistic, ready to monetize stolen credentials or pivot into deeper surveillance and espionage if the data is valuable enough.
Who’s Behind Rare Werewolf?
Attribution remains murky. Kaspersky’s analysis points to attackers who rely on public tools and known techniques rather than sophisticated zero-day exploits. This aligns more with cybercriminals or hacktivists than state-sponsored groups.
Given the regional focus and language used in the lures, it’s plausible that the group operates from within or near Eastern Europe. However, without hard evidence, researchers are cautious about drawing definitive conclusions.
What’s clear is that the campaign reflects increasing sophistication among low- to mid-tier threat actors. The blending of crypto-mining, data theft, and clever evasion demonstrates a high return-on-investment model that doesn’t require elite tools. Just careful planning and persistence.
Why This Matters
While crypto-mining malware isn’t new, Rare Werewolf’s focus on industrial systems and universities is significant. These targets often have:
- Long system uptime and high availability
- Access to valuable credentials and networks
- Less rigorous cybersecurity controls than large enterprises
The campaign also underscores a trend in modern cybercrime: hybrid operations that don’t fit neatly into one category. Mining, spying, stealing, and persistence mechanisms are increasingly being combined into flexible toolkits that evolve with the attacker’s goals.
How to Protect Against Similar Threats
Organizations, especially in education, manufacturing, and infrastructure, should adopt the following practices to detect and block stealthy campaigns like Rare Werewolf:
- Strengthen phishing defenses: Deploy advanced email filtering and educate users on the risks of password-protected attachments.
- Monitor for unusual activity: Track CPU/GPU usage spikes during off-hours. Watch for automated application launches like Edge without user input.
- Enable multi-factor authentication (MFA): This adds a barrier to account hijacking, especially for Telegram and browser-based services.
- Audit reboot logs: Scheduled reboots outside maintenance windows can be a red flag.
Use endpoint protection tools that detect and alert on unauthorized cryptominer installations or suspicious network activity.
Final Thoughts
Rare Werewolf might not be making headlines like ransomware cartels or espionage groups, but its impact is real, and growing. It represents a new wave of cybercriminal activity that quietly exploits everyday vulnerabilities, proving that even unspectacular attacks can be highly effective when executed with discipline.
As cybercrime continues to diversify, defenders must evolve too. Combating threats like Rare Werewolf means looking beyond malware signatures and flashy exploits. It requires vigilance, behavioral monitoring, and a strong understanding of how seemingly harmless activity (like a midnight browser launch) could be the first clue in a far more dangerous campaign.
