{ "name": "APT carries out attacks with data theft and crypto miner deployment", "slug": "apt-carries-out-attacks-with-data-theft-and-crypto-miner-deployment", "description": "Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto miner. Their tactics include disabling security measures, scheduling tasks to cover their tracks, and exfiltrating sensitive data. The campaign primarily affects industrial enterprises and engineering schools in Russia, with some victims in Belarus and Kazakhstan. The group continues to refine its methods, focusing on data exfiltration, remote access, and email account compromise through phishing sites.", "published": "2025-06-09T17:15:55+00:00", "created_at": "2025-06-09T17:15:55+00:00", "modified_at": "2025-06-09T18:20:27+00:00", "created_at_opencti": "2025-06-09T17:15:55+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-06-09", "apt", "cis", "crypto mining", "data theft", "industrial targets", "legitimate tools", "phishing", "russia", "xmrig" ], "related_entities": { "observables": [ { "id": "", "name": "https://bmapps.org/bmcontrol/win64/app-1.4.zip" }, { "id": "", "name": "http://bmapps.org/bmcontrol/win64/Install.exe" }, { "id": "", "name": "verifikations.ru" }, { "id": "", "name": "vniir.space" }, { "id": "", "name": "users-mail.ru" }, { "id": "", "name": "unifikator.ru" }, { "id": "", "name": "supersuit.site" }, { "id": "", "name": "outinfo.ru" }, { "id": "", "name": "office-email.ru" }, { "id": "", "name": "office-account.ru" }, { "id": "", "name": "mail-cheker.nl" }, { "id": "", "name": "email-informer.ru" }, { "id": "", "name": "dragonfires.ru" }, { "id": "", "name": "downdown.ru" }, { "id": "", "name": "detectis.ru" }, { "id": "", "name": "deauthorization.online" }, { "id": "", "name": "claud-mail.ru" }, { "id": "", "name": "bmapps.org" }, { "id": "", "name": "anyinfos.ru" }, { "id": "", "name": "anyhostings.ru" }, { "id": "", "name": "acountservices.nl" }, { "id": "", "name": "accouts-verification.ru" }, { "id": "", "name": "fd58900ea22b38bad2ef3d1b8b74f5c7023b8ca8a5b69f88cfbfe28b2c585baf" }, { "id": "", "name": "f8c80bbecbfb38f252943ee6beec98edc93cd734ec70ccd2565ab1c4db5f072f" }, { "id": "", "name": "e880a1bb0e7d422b78a54b35b3f53e348ab27425f1c561db120c0411da5c1ce9" }, { "id": "", "name": "e6ea6ce923f2eee0cd56a0874e4a0ca467711b889553259a995df686bd35de86" }, { "id": "", "name": "dfac7cd8d041a53405cc37a44f100f6f862ed2d930e251f4bf22f10235db4bb3" }, { "id": "", "name": "de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617" }, { "id": "", "name": "d8edd46220059541ff397f74bfd271336dda702c6b1869e8a081c71f595a9e68" }, { "id": "", "name": "d7bcab5acc8428026e1afd694fb179c5cbb74c5be651cd74e996c2914fb2b839" }, { "id": "", "name": "cab1c4c675f1d996b659bab1ddb38af365190e450dec3d195461e4e4ccf1c286" }, { "id": "", "name": "c79413ef4088b3a39fe8c7d68d2639cc69f88b10429e59dd0b4177f6b2a92351" }, { "id": "", "name": "c5eeec72b5e6d0e84ff91dfdcbefbbbf441878780f887febb0caf3cbe882ec72" }, { "id": "", "name": "c353a708edfd0f77a486af66e407f7b78583394d7b5f994cd8d2e6e263d25968" }, { "id": "", "name": "a6ff418f0db461536cff41e9c7e5dba3ee3b405541519820db8a52b6d818a01e" }, { "id": "", "name": "9cce3eaae0be9b196017cb6daf49dd56146016f936b66527320f754f179c615f" }, { "id": "", "name": "977054802de7b583a38e0524feefa7356c47c53dd49de8c3d533e7689095f9ac" }, { "id": "", "name": "8bdb8df5677a11348f5787ece3c7c94824b83ab3f31f40e361e600576909b073" }, { "id": "", "name": "8b6afbf73a9b98eec01d8510815a044cd036743b64fef955385cbca80ae94f15" }, { "id": "", "name": "7d6b598eaf19ea8a571b4bd79fd6ff7928388b565d7814b809d2f7fdedc23a0a" }, { "id": "", "name": "7c4a99382dbbd7b5aaa62af0ccff68aecdde2319560bbfdaf76132b0506ab68a" }, { "id": "", "name": "785a5b92bb8c9dbf52cfda1b28f0ac7db8ead4ec3a37cfd6470605d945ade40e" }, { "id": "", "name": "702bf51811281aad78e6ca767586eba4b4c3a43743f8b8e56bb93bc349cb6090" }, { "id": "", "name": "6c86608893463968bfda0969aa1e6401411c0882662f3e70c1ac195ee7bd1510" }, { "id": "", "name": "6954eaed33a9d0cf7e298778ec82d31bfbdf40c813c6ac837352ce676793db74" }, { "id": "", "name": "65f7c3e16598a8cb279b86eaeda32cb7a685801ed07d36c66ff83742d41cd415" }, { "id": "", "name": "636d4f1e3dcf0332a815ce3f526a02df3c4ef2890a74521d05d6050917596748" }, { "id": "", "name": "649ee35ad29945e8dd6511192483dddfdfe516a1312de5e0bd17fdd0a258c27f" }, { "id": "", "name": "53fd5984c4f6551b2c1059835ea9ca6d0342d886ba7034835db2a1dd3f8f5b04" }, { "id": "", "name": "4d590a9640093bbda21597233b400b037278366660ba2c3128795bc85d35be72" }, { "id": "", "name": "311ec9208f5fe3f22733fca1e6388ea9c0327be0836c955d2cf6a22317d4bdca" }, { "id": "", "name": "2f3d67740bb7587ff70cc7319e9fe5c517c0e55345bf53e01b3019e415ff098b" }, { "id": "", "name": "2af2841bf925ed1875faadcbb0ef316c641e1dcdb61d1fbf80c3443c2fc9454f" }, { "id": "", "name": "1b409644e86559e56add5a65552785750cd36d60745afde448cce7f6f3f09a06" }, { "id": "", "name": "01793e6f0d5241b33f07a3f9ad34e40e056a514c5d23e14dc491cee60076dc5a" } ], "malware": [ { "id": "legacy:malware:83adebc6ef4eb478", "name": "XMRig", "slug": "xmrig" } ], "intrusion_sets": [ { "id": "9918243d-e1bb-4495-8901-b9b4f35138f6", "name": "Librarian Ghouls", "slug": "librarian-ghouls" } ], "attack_patterns": [ { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" } ], "others": [ { "id": "", "name": "Belarus" }, { "id": "", "name": "Kazakhstan" }, { "id": "", "name": "Russian Federation" }, { "id": "", "name": "Education" }, { "id": "", "name": "Manufacturing" } ] }, "external_refs": [ "https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536", "https://otx.alienvault.com/pulse/684732eb0477b17208dec6c0" ] }