{
	"id": "c0775058-a2c2-4f61-b8ae-d4305e4f8107",
	"created_at": "2026-04-06T00:07:55.463554Z",
	"updated_at": "2026-04-10T03:35:36.891279Z",
	"deleted_at": null,
	"sha1_hash": "4ac527ac16d40a410053cd0c5d6b8cedbdbb8d76",
	"title": "Awaken Likho is awake: new techniques of an APT group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 238083,
	"plain_text": "Awaken Likho is awake: new techniques of an APT group\r\nBy Kaspersky\r\nPublished: 2024-10-07 · Archived: 2026-04-05 15:01:43 UTC\r\nIntroduction\r\nIn July 2021, a campaign was launched primarily targeting Russian government agencies and industrial\r\nenterprises. Shortly after the campaign started, we began tracking it, and published three reports in August and\r\nSeptember 2024 through our threat research subscription on the threat actor we named Awaken Likho (also named\r\nby other vendors as Core Werewolf).\r\nWhile investigating the activity of this APT group, we discovered a new campaign that began in June 2024 and\r\ncontinued at least until August. Analysis of the campaign revealed that the attackers had significantly changed the\r\nsoftware they used in their attacks. The attackers now prefer using the agent for the legitimate MeshCentral\r\nplatform instead of the UltraVNC module, which they had previously used to gain remote access to systems. The\r\ngroup remains focused on targeting Russian government organizations and enterprises.\r\nTechnical details\r\nDuring the investigation, using our Yara rules, we identified a new implant that we hadn’t seen previously in this\r\ngroup’s arsenal. Based on our telemetry, we concluded that the implant was delivered to victims’ devices via a\r\nmalicious URL, likely obtained through phishing emails. Awaken Likho operators typically use search engines to\r\ngather as much information as possible about their victims and prepare convincing messages. We weren’t able to\r\nobtain the original phishing emails used to distribute this implant, but email attachments in previous campaigns\r\nincluded self-extracting archives (SFX) and links to malicious modules. In addition, previous attacks used Golang\r\ndroppers to deliver malware – we didn’t find evidence of this in the current activity. However, the main difference\r\nin the implant we analyzed lies in a new method of gaining and maintaining control over the infected machine.\r\nFor several years, we observed the use of the UltraVNC module to gain remote access to systems, but in this\r\ncampaign, the attackers used MeshAgent, an agent for the MeshCentral system. As stated on the official\r\nMeshCentral website, this is an open-source remote device management solution with extensive functionality.\r\nWe discovered the new type of implant in September 2024, and our telemetry indicates that the attackers began\r\nusing this software in August 2024. So now, let’s analyze this implant in detail.\r\nMD5 603eead3a4dd56a796ea26b1e507a1a3\r\nSHA1 56d6ef744adbc484b15697b320fd69c5c0264f89\r\nSHA256 7491991dd42dabb123b46e33850a89bed0a2790f892d16a592e787d3fee8c0d5\r\nBuild date and time Mon Dec 31 03:38:51 2012 (this does not correspond to the actual implant build date)\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 1 of 9\n\nCompiler MSVC/C++, Packer: UPX(3.07),[LZMA]\r\nFile size 1 887 698 bytes\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections\r\nUnpacking the archive\r\nAs in previous campaigns, the implant is packed using UPX and distributed in a self-extracting archive (SFX),\r\ncreated using 7-Zip, as indicated by its metadata. To continue the analysis, we must unpack it.\r\nImplant metadata\r\nThe archive contains five files, four of which are disguised as legitimate system services and command files.\r\nImplant archive contents\r\nThe remaining CMD file (the last one in the screenshot above) has a non-descriptive, randomly generated name.\r\nIn previous implants we analyzed, most files were named in this way. What’s more, some files contained no\r\npayload and were added to the archive solely to mislead users. We will analyze all the files from the archive, but\r\nfirst, let’s open it in “#” mode. This is a special parser mode in 7-Zip, used for analyzing files to gather additional\r\ninformation about the archive, including the installation script.\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 2 of 9\n\nOpening an archive in “#” mode from the archiver context menu\r\nContents of the archive opened in “#” mode\r\nTo determine how the implant persists in the system, we extract the installation script named “2” from the archive.\r\nSFX archive installation script\r\nAs seen in the script code, the SFX module extracts all components of the archive into a temporary directory and\r\nruns MicrosoftStores.exe without parameters.\r\nAutoIt script\r\nThe next step in the attack is to execute MicrosoftStores.exe. This sample is also packed using UPX.\r\nMD5 deae4a955e1c38aae41bec5e5098f96f\r\nSHA1 a45d8d99b6bc53fa392a9dc374c4153a62a11e2a\r\nSHA256 f11423a3c0f3f30d718b45f2dcab394cb8bdcd473c47a56544e706b9780f1495\r\nBuild date and time Fri Dec 23 13:59:31 2011 (this does not correspond to the time of the attack)\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 3 of 9\n\nCompiler MSVC/C++, Packer: UPX(3.08),[NRV]\r\nFile size 584 839 bytes\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections\r\nKnown file names MicrosoftStores.exe\r\nHaving unpacked the file, we see that it contains a compiled AutoIt script with an interpreter – this is indicated by\r\na snippet in the file’s code starting with AU3!. The presence of this script explains why the file was executed\r\nwithout parameters after extraction.\r\nWe managed to extract the decompiled AutoIt script, which was obfuscated.\r\nExtracted AutoIt script\r\nMD5 892c55202ce3beb1c82183c1ad81c7a0\r\nSHA1 976b5bc7aafc32450f0b59126f50855074805f28\r\nSHA256 f3421e5392e3fce07476b3c34153a7db0f6c8f873bd8887373f7821bd0281dcc\r\nInterpreter AutoIt\r\nFile size 624 bytes\r\nFile type File utility: ASCII text, with CRLF line terminators\r\nAfter manually deobfuscating it, we can determine the purpose of the script: it launches NetworkDrivers.exe and\r\nnKka9a82kjn8KJHA9.cmd with the specified parameters to ensure persistence in the system.\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 4 of 9\n\nContents of AutoIt script after deobfuscation\r\nPayload\r\nNetworkDrivers.exe\r\nNext, we examine the first executable launched by the script, NetworkDrivers.exe.\r\nMD5 63302bc6c9aebe8f0cdafdd2ecc2198a\r\nSHA1 f4e2c56e1e5e73aa356a68da0ae986103c9a7bad\r\nSHA256 37895c19d608aba8223e7aa289267faea735c8ee13676780a1a0247ad371b9b8\r\nBuild date and time Fri Dec 09 23:13:19 2022\r\nCompiler MSVC/C++\r\nFile size 3 843 579 bytes\r\nFile type PE32 executable (console) Intel 80386, for MS Windows, 6 sections\r\nKnown file names NetworkDrivers.exe\r\nOur products detect this sample with the verdict not-a-virus:HEUR:RemoteAdmin.Win32.MeshAgent.gen.\r\nIndeed, this is MeshAgent, the agent for the legitimate MeshCentral platform, which the attackers started using\r\ninstead of UltraVNC.\r\nnKka9a82kjn8KJHA9.cmd\r\nThe AutoIt script then launches the command file nKka9a82kjn8KJHA9.cmd with specified parameters.\r\nMD5 912ebcf7da25c56e0a2bd0dfb0c9adff\r\nSHA1 a76601fc29c523a3039ed9e7a1fc679b963db617\r\nSHA256 c31faf696c44e6b1aeab4624e5330dc748633e2d8a25d624fc66fed384797f69\r\nBuild date and time 06/08/2024 11:08 AM\r\nInterpreter cmd.exe\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 5 of 9\n\nFile size 1 158 708 bytes\r\nFile type DOS batch file, ASCII text, with very long lines (1076)\r\nKnown file names nKka9a82kjn8KJHA9.cmd\r\nIt’s important to note that this script has an unusually large size – over 1 MB. The reason is simple: it’s heavily\r\nobfuscated.\r\nPart of the obfuscated contents of nKka9a82kjn8KJHA9.cmd\r\nDespite the large amount of code, the obfuscation technique is quite simple: the attackers use large filler text\r\nblocks. During script execution, the interpreter skips the meaningless text using labels with the GOTO command.\r\nWe were able to easily deobfuscate this file.\r\nnKka9a82kjn8KJHA9.cmd after manual deobfuscation\r\nThe purpose of this command file is to create a scheduled task named MicrosoftEdgeUpdateTaskMachineMS.\r\nThis task runs EdgeBrowser.cmd from the unpacked archive and deletes certain files related to malicious activity,\r\nsuch as the first-stage executable MicrosoftStores.exe. This makes it harder to detect the attackers.\r\nEdgeBrowser.cmd\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 6 of 9\n\nThe command file from the previous stage creates a task to run the EdgeBrowser.cmd script.\r\nMD5 c495321edebe32ce6731f7382e474a0e\r\nSHA1 bcd91cad490d0555853f289f084033062fa1ffaa\r\nSHA256 82415a52885b2731214ebd5b33ceef379208478baeb2a09bc985c9ce8c62e003\r\nBuild date and time 01/08/2024 9:49 AM\r\nInterpreter cmd.exe\r\nFile size 402 bytes\r\nFile type DOS batch file, ASCII text, with CRLF line terminators\r\nKnown file names EdgeBrowser.cmd\r\nEdgeBrowser.cmd\r\nThis script launches NetworkDrivers.exe (the MeshAgent agent) using PowerShell to interact with the C2 server.\r\nThese actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command\r\nfile, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server.\r\nNetworkDrivers.msh\r\nThere is another file in the archive named NetworkDrivers.msh. This is the configuration file for MeshAgent. We\r\nalso found its contents in the code of the NetworkDrivers.exe.\r\nMeshAgent configuration file contents\r\nThis file specifies the agent’s parameters for establishing a connection with the MeshCentral server: MeshName,\r\nMeshID, ServerID, and the C2 address, connecting via the WebSocket protocol. When opening this address via\r\nHTTPS, the following window appears – the login form for the MeshCentral platform.\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 7 of 9\n\nMeshCentral platform login interface\r\nThis confirms that the attackers used the legitimate MeshCentral system to interact with the C2 server.\r\nVictims\r\nThe primary victims of this attack were Russian government agencies, their contractors, and industrial enterprises.\r\nAttribution\r\nBased on the TTPs used and the information about the victims, we assume with high confidence that the threat\r\nactor is the APT group Awaken Likho.\r\nTakeaways\r\nAwaken Likho is one of the threat actors that ramped up its activity after the start of the Russo-Ukrainian conflict.\r\nRecently, the group’s methods have changed significantly; for example, they have begun using MeshCentral\r\ninstead of UltraVNC. The APT is still active – we’ve seen fresh implants dated August 2024. It’s worth noting that\r\nthe implant analyzed in this article does not contain the payload-free files we observed in previous samples.\r\nClearly, this is a new version of the malware, which is still in development. We believe we will see new attacks\r\nfrom the Awaken Likho operators. We are convinced that the group continues to successfully infiltrate their\r\nselected targets’ infrastructure.\r\nSuch attacks once again stress the importance of a comprehensive solution to ensure continuous protection of\r\ncorporate resources, especially in the face of evolving threats.\r\nIndicators of compromise\r\n603eead3a4dd56a796ea26b1e507a1a3\r\ndeae4a955e1c38aae41bec5e5098f96f\r\n892c55202ce3beb1c82183c1ad81c7a0\r\n63302bc6c9aebe8f0cdafdd2ecc2198a\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 8 of 9\n\n912ebcf7da25c56e0a2bd0dfb0c9adff\r\nc495321edebe32ce6731f7382e474a0e\r\nDomain\r\nkwazindernuren[.]com\r\nIP address\r\n38.180.101[.]12\r\nMalicious task name\r\nMicrosoftEdgeUpdateTaskMachineMS\r\nSource: https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nhttps://securelist.com/awaken-likho-apt-new-implant-campaign/114101/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/"
	],
	"report_names": [
		"114101"
	],
	"threat_actors": [
		{
			"id": "d18b9735-1af7-433c-a582-a01886bc5e3f",
			"created_at": "2024-10-25T02:02:07.582653Z",
			"updated_at": "2026-04-10T02:00:04.569471Z",
			"deleted_at": null,
			"main_name": "Awaken Likho",
			"aliases": [
				"Core Werewolf"
			],
			"source_name": "ETDA:Awaken Likho",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "90074ca4-8a4a-42dc-a395-25db4f44c1a4",
			"created_at": "2024-10-08T02:00:04.462582Z",
			"updated_at": "2026-04-10T02:00:03.722048Z",
			"deleted_at": null,
			"main_name": "Awaken Likho",
			"aliases": [
				"Core Werewolf"
			],
			"source_name": "MISPGALAXY:Awaken Likho",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775792136,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ac527ac16d40a410053cd0c5d6b8cedbdbb8d76.pdf",
		"text": "https://archive.orkl.eu/4ac527ac16d40a410053cd0c5d6b8cedbdbb8d76.txt",
		"img": "https://archive.orkl.eu/4ac527ac16d40a410053cd0c5d6b8cedbdbb8d76.jpg"
	}
}