Hundreds of Russian devices hit by Rare Werewolf cryptomining attacks

A hacker group known as Rare Werewolf has been hijacking computers across Russia and neighboring countries to secretly mine cryptocurrency, according to new research.

The cybercriminals are deploying XMRig software — a legitimate tool for mining cryptocurrency — on victims' devices, said researchers at Russian cybersecurity firm Kaspersky. The campaign has affected hundreds of Russian users, particularly targeting industrial enterprises and engineering schools, with additional victims reported in Belarus and Kazakhstan.

Kaspersky said the attackers gain initial access through phishing emails written in Russian. These emails contain password-protected archives with malicious executable files and are typically disguised as messages from legitimate organizations, appearing to be official documents or payment orders.

Once inside the system, the hackers steal login credentials and install XMRig to generate cryptocurrency using the victims’ computing power. The hackers also use a novel method to maintain access and avoid detection, programming infected devices to shut down at 5 a.m. daily. Before the shutdown, a script launches Microsoft Edge at 1 a.m. to wake up the computer, giving the attackers a four-hour window to establish remote access.

The attackers collect information about available CPU cores and GPUs to optimally configure the crypto miner, and this data is sent to their servers, the report said.

Rare Werewolf has been active since at least 2019, according to previous reports. The group typically relies on legitimate third-party software and utilities rather than developing its own malicious tools to execute its attacks. The group’s origin has not yet been identified.

Kaspersky said the current campaign began in December 2024 and was ongoing as of last month, with attackers continuously refining their tactics. In addition to cryptocurrency mining, the group has also focused on stealing sensitive documents, passwords and compromising Telegram messenger accounts in their previous campaigns. 

The group's methods — including the use of self-extracting archives and legitimate utilities — resemble those often associated with hacktivist groups, Kaspersky said.

XMRig has been widely abused by cybercriminals, who are consistently devising new methods to deliver the installer to victims’ devices. In previous cases targeting Russian firms, hackers delivered it through malicious versions of popular pirated games.