Librarian Ghouls Turn Russian Devices Into Silent Crypto Miners

The group uses phishing emails containing malicious files to gain unauthorized access to systems. These emails look like regular messages from real companies and often contain what appear to be invoices or official documents.

Once opened, the file installs malware that gives hackers remote access. From there, they disable built-in protections, such as Windows Defender.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Is Decentralized Anonymous Blockchain a Myth? (Explained!)

SUBSCRIBE

ON YOUTUBE

Kaspersky reported that the infected computers are programmed to turn on at 1 AM and shut down at 5 AM.

This quiet time window allows hackers to stay hidden while accessing the device, gathering passwords, and preparing it to mine cryptocurrency. The attackers also examine the system’s details, such as memory, processor speed, and graphics card, to configure the mining tool.

While mining is active, the device contacts the mining pool every minute to remain connected.

Kaspersky stated that the group also installs tools to stay connected to the machine long-term. Additionally, they often use fake websites to trick users into giving away their email account access.

The campaign began in December 2024 and is still ongoing. It has mostly affected Russian users, especially those at industrial companies and technical schools. A smaller number of victims have been found in Belarus and Kazakhstan.

Recently, the Mobile Threat Intelligence team at ThreatFabric reported that the Android malware Crocodilus is targeting banking and cryptocurrency users in several regions. How does it work? Read the full story.