Angry Likho: Old Beasts In A New Forest
Thumbnail
Angry Likho, an APT group also known as Sticky Werewolf, has been active since 2023, targeting government agencies and large organizations primarily in Russia and Belarus through spear-phishing campaigns. The group employs sophisticated techniques involving malicious RAR archives, obfuscated scripts, and known payloads like the Lumma stealer to harvest sensitive data, maintaining ongoing operations with periodic activity pauses. Affected: Russia, Belarus, governmental organizations, contractors, employees, cybersecurity sector

Keypoints :

  • Angry Likho primarily targets employees of large organizations, especially in governmental sectors.
  • The attackers utilize spear-phishing emails with malicious attachments to gain access to victims’ systems.
  • The group has been linked to hundreds of targeted attacks in Russia and Belarus, with some incidental victims from other regions.
  • They employ a technique of alternating periods of intensified activity with quiet phases before launching new attacks.
  • The malicious implant discovered is called FrameworkSurvivor.exe and contains a strong obfuscation methodology.
  • Exfiltrated data includes sensitive personal information from various browsers and cryptocurrency wallets.
  • Recent activity indicates ongoing threat from Angry Likho in early 2025, with new payloads and techniques.
  • Organizations need robust security monitoring and employee training to defend against such targeted campaigns.

MITRE Techniques :

  • Phishing (T1566): Standardized spear-phishing emails with embedded malicious RAR attachments.
  • Exploitation for Client Execution (T1203): The use of malicious LNK files within the phishing email attachment.
  • Remote File Copy (T1105): Malicious SFX files are executed to copy files to the victim’s system without detection.
  • Obfuscated Files or Information (T1027): Use of obfuscated scripts and binaries to conceal malicious activity.
  • Data from Information Repositories (T1213): Harvesting stored data from browsers and applications.

Indicator of Compromise :

  • [File Hash] f8df6cf748cc3cf7c05ab18e798b3e91ef8c77dc451f6c783d2c4ddb726de111de26f488328ea0436199c5f728ecd82ad4b75a8318befdb1474328a92f0fc79dba40c097e9d06130f366b86deb4a8124b0844bb9a6b026569f9baf26a40c36f389052678dc147a01f3db76febf8441e4842f8064a81eb5fc8828580a08d9b0447c527c6607cc1bfa55ac0203bf39593975fd9018433f5cbd2a4422d1f09b224e729c24cc6a49fb635601eb88824aa27669f6dcdb3d87392f300e9052de99d7ce5e17d1a077f86f7ae4895a312176eba6373ebf513d0838e1b8c3ce2028c3e673351260c2873645e314a889170c7a775023ce22596f1c7d6db171753c1d2612fe0c03efd969f6d9e6517c300f8fd92921277acb857f1587221fc752f19be27187
  • [File Hash] faa47ecbcc846bf182e4ecf3f190a9f4d8c6199b414bdf298b6a774e60515ba59d3337f0e95ece531909e4c8d9f1cc556bd84dfb987f9c40098d12e3959994bc6396908315d9147de3dff98ab1ee4cbe1e210fcc47eda459998c9a74c30f394efe0438938eef75e090a38d8b17687357
  • [Domain] testdomain123123[.]shop
  • [Domain] averageorganicfallfaw[.]shop
  • [Domain] distincttangyflippan[.]shop

Full Story: https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/