Angry Likho - Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 15:54:12 UTC
 APT group: Angry Likho
Names Angry Likho (?)
Country [Unknown]
Motivation Information theft and espionage
First seen 2023
Description
(Kaspersky) Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group
we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which
we’ve analyzed before, so we classified it within the Likho malicious activity cluster.
However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a
limited range of implants, and a focus on employees of large organizations, including
government agencies and their contractors. Given that the bait files are written in fluent
Russian, we infer that the attackers are likely native Russian speakers.
We’ve identified hundreds of victims of this attack in Russia, several in Belarus, and additional
incidents in other countries. We believe that the attackers are primarily targeting organizations
in Russia and Belarus, while the other victims were incidental—perhaps researchers using
sandbox environments or exit nodes of Tor and VPN networks.
Observed
Sectors: Government.
Countries: Belarus, Russia.
Tools used LummaC2.
Information Last change to this card: 02 March 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=419130a6-acc7-48e1-9633-db31c6dda0db
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=419130a6-acc7-48e1-9633-db31c6dda0db
Page 1 of 1