Cybersecurity researchers have uncovered targeted phishing attacks by the Rare Werewolf advanced persistent threat (APT) group against Russian and Commonwealth of Independent States (CIS) organizations. The group aims to mine Monero cryptocurrency and steal sensitive corporate data while employing sophisticated evasion techniques.
According to Kaspersky’s analysis, Rare Werewolf delivers phishing emails containing malicious attachments to gain remote access to systems. The campaign specifically targets industrial enterprises and engineering schools, using decoy documents that mimic legitimate communications to trick victims. Attackers impersonate popular email services to harvest credentials from Russian-speaking targets.
The group operates strategically to avoid detection by scheduling Monero mining activities exclusively between 1 AM and 5 AM local time. Kaspersky identified several domains central to the phishing infrastructure, including ‘users-mail[.]ru’ and ‘deauthorization[.]online’, which facilitate credential theft and malware deployment.
Security experts recommend organizations implement comprehensive countermeasures including employee cybersecurity awareness training, advanced email filtering systems, and mandatory multi-factor authentication to mitigate risks from such sophisticated phishing operations.