Authors
Introduction
Librarian Ghouls, also known as “Rare Werewolf” and “Rezet”, is an APT group that targets entities in Russia and the CIS. Other security vendors are also monitoring this APT and releasing analyses of its campaigns. The group has remained active through May 2025, consistently targeting Russian companies.
A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries. The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts. The attackers establish remote access to the victim’s device, steal credentials, and deploy an XMRig crypto miner in the system.
Our research has uncovered new tools within this APT group’s arsenal, which we will elaborate on in this article.
Technical details
Initial infection vector
Attacks by Librarian Ghouls continued almost unabated throughout 2024. We observed a slight decline in the group’s activity in December, followed immediately by a new wave of attacks, which is ongoing. The group’s primary initial infection vector involves targeted phishing emails that contain password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents. The infection process is as follows: the victim opens the attached archive (the password is usually provided in the email body), extracts the files inside, and opens them.
We managed to get hold of a malicious implant from an archive disguised as a payment order. The sample is a self-extracting installer made with the Smart Install Maker utility for Windows.
The installer contains three files: an archive, a configuration file, and an empty file irrelevant for our analysis. They are later renamed into data.cab, installer.config and runtime.cab respectively.
The primary malicious logic resides in the installer’s configuration file. It uses a variety of registry modification commands to automatically deploy the legitimate window manager, 4t Tray Minimizer, onto the system. This software can minimize running applications to the system tray, allowing attackers to obscure their presence on the compromised system.
Once 4t Tray Minimizer is installed, the installer pulls three files from data.cab and puts them into the C:\Intel directory, specifically at:
| File | Name when archived | Path on the infected system |
| Legitimate PDF as a decoy | 0 | \Intel\Payment Order # 131.pdf |
| Legitimate curl utility executable | 1 | \Intel\curl.exe |
| LNK file | 2 | \Intel\AnyDesk\bat.lnk |
The PDF decoy resembles an order to pay a minor amount:
