APT carries out attacks with data theft and crypto miner deployment
Essential information
- Published
- 09/06/2025 19:15
- Modified
- 09/06/2025 20:20
- Tags
- 2025-06-09 apt cis crypto mining data theft industrial targets legitimate tools phishing russia xmrig
- Related entities
- 55 observables, 1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 5 others
Description
Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto miner. Their tactics include disabling security measures, scheduling tasks to cover their tracks, and exfiltrating sensitive data. The campaign primarily affects industrial enterprises and engineering schools in Russia, with some victims in Belarus and Kazakhstan. The group continues to refine its methods, focusing on data exfiltration, remote access, and email account compromise through phishing sites.