Kaspersky Labs has uncovered new activity from Angry Likho, an advanced persistent threat (APT) group that has been under observation since 2023. Also referred to as Sticky Werewolf by some vendors, the group has evolved its attack methods, introducing a previously unknown implant and targeting high-profile entities, particularly in Russia and Belarus.
According to Kaspersky’s report, “Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors.” Investigators have identified hundreds of victims in Russia and several in Belarus, with some incidental infections in other countries, likely due to security researchers analyzing the malware in sandbox environments or through compromised Tor exit nodes.
Angry Likho continues to rely on spear-phishing emails as its primary attack vector. These emails often invite the recipient to join a videoconference, with attached RAR archives containing two malicious LNK files and a legitimate-looking bait document. The bait document closely mirrors the body of the email, increasing the likelihood of deception.
In June 2024, Kaspersky researchers discovered an unknown implant used by Angry Likho, distributed under the filename FrameworkSurvivor.exe from a malicious domain.
“This implant was created using the legitimate open-source installer, Nullsoft Scriptable Install System, and functions as a self-extracting archive (SFX). We’ve previously observed this technique in multiple Awaken Likho campaigns,” the report explains.
When executed, the self-extracting archive installs malware by extracting a hidden folder named $INTERNET_CACHE, which contains obfuscated scripts that execute malicious commands. The main script, Helping.cmd, launches an AutoIt-based payload, which in turn loads encrypted shellcode into memory for execution.
After deobfuscating the attack’s final payload, researchers identified it as Lumma Stealer, a powerful infostealer capable of exfiltrating:
- Browser-stored credentials and cookies
- Banking details
- Cryptocurrency wallet data
- VPN and remote access tool credentials (e.g., AnyDesk, KeePass)
According to Kaspersky, “The Lumma stealer gathers system and installed software information from the compromised devices, as well as sensitive data such as cookies, usernames, passwords, banking card numbers, and connection logs.”
The malware communicates with multiple command-and-control servers, many of which were newly identified during Kaspersky’s analysis. Among them:
- averageorganicfallfaw[.]shop
- distincttangyflippan[.]shop
- stickyyummyskiwffe[.]shop
Researchers also linked the campaign to over 60 malicious implants hosted on related domains.
Angry Likho has demonstrated consistent attack techniques over time, with periodic pauses followed by surges in activity. In January 2025, new attacks were detected, reinforcing concerns that the group remains a persistent and evolving threat.
Kaspersky concludes, “The group’s latest attacks use the Lumma stealer, which collects a vast amount of data from infected devices, including browser-stored banking details and cryptowallet files.”
Related Posts:
- New Campaign by Awaken Likho APT Group: Changes in Software and Techniques
- Beware Fake Angry IP Scanner Ads: SharpRhino RAT Used by Hunters Group Lurks Within
- Doctors warn that medical implants may be the hacker’s future goals
- Internet Archive Under Siege: DDoS Attacks and a Mysterious Data Breach
