{ "id": "de70481f-6c78-4d08-8874-bba475c70a11", "created_at": "2026-04-06T00:06:11.276666Z", "updated_at": "2026-04-10T03:36:48.249721Z", "deleted_at": null, "sha1_hash": "acc19fdf0e1bb046b0d3f6207a6c5453d294c07e", "title": "Angry Likho: Old beasts in a new forest", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 692225, "plain_text": "Angry Likho: Old beasts in a new forest\r\nBy Kaspersky\r\nPublished: 2025-02-21 · Archived: 2026-04-05 12:48:22 UTC\r\nAngry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since\r\n2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the\r\nLikho malicious activity cluster. However, Angry Likho’s attacks tend to be targeted, with a more compact\r\ninfrastructure, a limited range of implants, and a focus on employees of large organizations, including government\r\nagencies and their contractors. Given that the bait files are written in fluent Russian, we infer that the attackers are\r\nlikely native Russian speakers.\r\nWe’ve identified hundreds of victims of this attack in Russia, several in Belarus, and additional incidents in other\r\ncountries. We believe that the attackers are primarily targeting organizations in Russia and Belarus, while the other\r\nvictims were incidental—perhaps researchers using sandbox environments or exit nodes of Tor and VPN\r\nnetworks.\r\nAt the beginning of 2024, several cybersecurity vendors published reports on Angry Likho. However, in June, we\r\ndetected new attacks from this group, and in January 2025, we identified malicious payloads confirming their\r\ncontinued activity at the moment of our research.\r\nTechnical details\r\nInitial attack vector\r\nThe initial attack vector used by Angry Likho consists of standardized spear-phishing emails with various\r\nattachments. Below is an example of such an email containing a malicious RAR archive.\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 1 of 15\n\nContents of spear-phishing email inviting the victim to join a videoconference\r\nThe archive includes two malicious LNK files and a legitimate bait file.\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 2 of 15\n\nBait document from spear-phishing email inviting the victim to join a videoconference\r\nThe content of this document is almost identical to the body of the phishing email.\r\nThis example illustrates how the attackers gain access to victims’ systems. All these emails (and others like them\r\nin our collection) date back to April 2024. We observed no further activity from this group until we discovered an\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 3 of 15\n\nunusual implant, described below. Based on our telemetry, the attackers operate periodically, pausing their\r\nactivities for a while before resuming with slightly modified techniques.\r\nPreviously unknown Angry Likho implant\r\nIn June 2024, we discovered a very interesting implant associated with this APT. The implant was distributed\r\nunder the name FrameworkSurvivor.exe from the following URL:\r\nhxxps://testdomain123123[.]shop/FrameworkSurvivor.exe\r\nThis implant was created using the legitimate open-source installer, Nullsoft Scriptable Install System, and\r\nfunctions as a self-extracting archive (SFX). We’ve previously observed this technique in multiple Awaken Likho\r\ncampaigns.\r\nBelow are the contents of the archive, opened using the 7-Zip archiver.\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 4 of 15\n\nContents of the malicious SFX archive\r\nThe archive contains a single folder, $INTERNET_CACHE, filled with many files without extensions.\r\nTo understand how the SFX archive infects a system when launched, we had to find and analyze its installation\r\nscript. The latest versions of 7-Zip do not allow extraction of this script, but it can be retrieved using older\r\nversions. We used 7-Zip version 15.05 (the last version supporting extraction of the installation script):\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 5 of 15\n\nContents of the malicious SFX archive opened in 7-Zip version 15.05\r\nThe installation script was named [NSIS].nsi, and was partially obfuscated.\r\nObfuscated contents of the installation script\r\nAfter deobfuscation, we were able to determine its primary purpose:\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 6 of 15\n\nDeobfuscated installation script from the malicious SFX implant\r\nThe script searches for the folder on the victim’s system using the $INTERNET_CACHE macro, extracts all the\r\nfiles from the archive into it, renames the file “Helping” to “Helping.cmd”, and executes it.\r\nHelping.cmd command file\r\nBelow are the contents of the Helping.cmd file:\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 7 of 15\n\nContents of the Helping.cmd file\r\nThis file is heavily obfuscated, with several meaningless junk lines inserted between each actual script command.\r\nOnce deobfuscated, the script’s logic becomes clear. Below is the code, with some lines modified for readability:\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 8 of 15\n\nDeobfuscated Helping.cmd\r\nThe Helping.cmd script launches a legitimate AutoIt interpreter (Child.pif) with the file i.a3x as a parameter. The\r\ni.a3x file contains a compiled AU3 script. With that in mind, we can assume that this script implements the core\r\nlogic of the malicious implant.\r\nAU3 script\r\nTo recover the original AU3 file used when creating the i.a3x file, we created a dummy executable with a basic\r\nAutoIt script, swapped its content with i.a3x, and used a specialized tool to extract the original AU3 script.\r\nWe ended up with the original AU3 file:\r\nRestored AU3 script\r\nThe script is heavily obfuscated, with all strings encrypted. After deobfuscating and decrypting the code, we\r\nanalyzed it. The script begins with a few verification procedures:\r\nThe AU3 script checks the environment\r\nThe script checks for artifacts associated with emulators and research environments of security vendors. If a match\r\nis found, it either terminates or executes with a 10,000 ms delay to evade detection.\r\nInterestingly, we’ve seen similar checks in the Awaken Likho implants. This suggests that the attackers behind\r\nthese two campaigns share the same technology or are the same group using different tools for different targets\r\nand tasks.\r\nThe script next sets an error-handling mode by calling SetErrorMode() from the kernel32.dll with the flags\r\nSEM_NOALIGNMENTFAULTEXCEPT, SEM_NOGPFAULTERRORBOX, and\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 9 of 15\n\nSEM_NOOPENFILEERRORBOX, thus hiding system error messages and reports. If this call fails, the script\r\nterminates.\r\nAfterward, the script deletes itself from disk by calling FileDelete(“i”) and generates a large text block, as shown\r\nbelow.\r\nCode for generating “shellcode”\r\nThis block is presumably shellcode that will be loaded into memory and executed. However, it is also packed and\r\nencrypted. Once unpacked and decrypted, the AU3 script attempts to inject the malicious payload into the\r\nlegitimate AutoIt process.\r\nFinal activity of the AU3 script\r\nMain payload\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 10 of 15\n\nTo obtain the shellcode, we saved a dump of the decrypted and unpacked payload once the AU3 malicious script\r\nhad fully processed it. After removing unnecessary bytes from the dump, we recovered the original payload of the\r\nattack. It turned out to be not shellcode but a full-fledged MZ PE executable file.\r\nThe decrypted and unpacked payload—an MZ PE file\r\nOur products detect this payload with the following verdicts:\r\nHEUR:Trojan.MSIL.Agent.pef\r\nHEUR:Trojan.Win32.Generic\r\nWe examined this payload and concluded that it is the Lumma Trojan stealer (Trojan-PSW.Win32.Lumma).\r\nThe Lumma stealer gathers system and installed software information from the compromised devices, as well as\r\nsensitive data such as cookies, usernames, passwords, banking card numbers, and connection logs. It also steals\r\ndata from 11 browsers, including Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX\r\nStable, Opera Neon, Mozilla Firefox and Waterfox, as well as cryptocurrency wallets such as Binance and\r\nEthereum. Additionally, it exfiltrates data from cryptowallet browser extensions (MetaMask) and authenticators\r\n(Authenticator), along with information from applications such as the remote access software AnyDesk and the\r\npassword manager KeePass.\r\nCommand servers\r\nThis sample contains encoded and encrypted addresses of command servers. Using a simple decryption procedure\r\nin the executable file code, we restored the original domain names used as command servers.\r\naverageorganicfallfaw[.]shop\r\ndistincttangyflippan[.]shop\r\nmacabrecondfucews[.]shop\r\ngreentastellesqwm[.]shop\r\nstickyyummyskiwffe[.]shop\r\nsturdyregularrmsnhw[.]shop\r\nlamentablegapingkwaq[.]shop\r\nInnerverdanytiresw[.]shop\r\nstandingcomperewhitwo[.]shop\r\nBy identifying the command server names from this malware variant, we were able to identify other related\r\nsamples. As a result, we discovered over 60 malicious implants. Some of them had the same payload, and we\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 11 of 15\n\nmanaged to find additional attacker-controlled command servers (the addresses listed below were used in the\r\nidentified samples alongside the original command servers):\r\nuniedpureevenywjk[.]shop\r\nspotlessimminentys[.]shop\r\nspecialadventurousw[.]shop\r\nstronggemateraislw[.]shop\r\nwillingyhollowsk[.]shop\r\nhandsomelydicrwop[.]shop\r\nsoftcallousdmykw[.]shop\r\nWe’re convinced that the main objectives of this APT group are to steal sensitive data using stealers and establish\r\nfull control over infected machines via malicious remote administration utilities.\r\nNew activity\r\nWe’ve been tracking the attacks of this campaign since June 2024. However, in January 2025, the attackers\r\nshowed a new surge in activity, as reported by our colleagues from F6 (previously known as F.A.C.C.T.). We\r\nanalyzed the indicators of compromise they published and identified signs of a potential new wave of attacks,\r\nlikely in preparation since at least January 16, 2025:\r\nFiles found in Angry Likho’s payload repositories\r\nWe managed to download malicious files hosted in repositories seen in the January Angry Likho attack while they\r\nwere still accessible. Analysis of the files test.jpg and test2.jpg revealed that they contained the same .NET-based\r\npayload, encoded using Base64. Last year, we documented Angry Likho attacks that used image files containing\r\nmalicious code. Moreover, the filenames match those of the samples we recently discovered.\r\nThis further confirms that the Angry Likho group, responsible for these attacks, remains an active threat. We are\r\ncontinuing to monitor this threat and providing up-to-date cyber intelligence data about it and the TTPs used by\r\nthe group.\r\nVictims\r\nAt the time of our investigation, our telemetry data showed hundreds of victims in Russia and several in Belarus.\r\nMost of the SFX archives had filenames and bait documents in Russian, thematically linked to government\r\ninstitutions in Russia. These institutions and their contractors are the primary targets of this campaign.\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 12 of 15\n\nAttribution\r\nWe attribute this campaign to the APT group Angry Likho with a high degree of confidence. It shares certain\r\nsimilarities with findings from our colleagues at BI.ZONE and F6, as well as previous attacks by the group:\r\n1. 1 The same initial implant structure (an archive with similar contents, sent in an email).\r\n2. 2 Similar bait documents with the same naming patterns and themes, mostly written in Russian.\r\n3. 3 Command files and AutoIt scripts used to install the implant are obfuscated similarly. Newer versions\r\ncontain more sophisticated installation scripts, with extra layers of obfuscation to complicate analysis.\r\n4. 4 The implant described in this report contains a known payload—the Lumma stealer (Trojan-PSW.Win32.Lumma). We have not previously seen this tool used in Angry Likho campaigns, but earlier\r\nattacks showed similar data exfiltration tactics, suggesting the group is still targeting cryptowallet files and\r\nuser credentials.\r\nConclusion\r\nWe are continuing to monitor the activity of the Angry Likho APT, which targets Russian organizations. The\r\ngroup’s latest attacks use the Lumma stealer, which collects a vast amount of data from infected devices, including\r\nbrowser-stored banking details and cryptowallet files. As before, the complex infection chain was contained in a\r\nself-extracting archive distributed via email. We believe that the attackers crafted spear-phishing emails tailored to\r\nspecific users, attaching bait files designed to attract their interest. Additionally, we identified more malicious\r\nsamples linked to this campaign based on common command servers and repositories.\r\nLet’s sum up by highlighting the notable features of this campaign and other similar ones:\r\n1. 1 The attack techniques remain relatively consistent over time, with only minor modifications. Despite this,\r\nthe attackers are successfully achieving their objectives.\r\n2. 2 The attackers occasionally pause their activity, only to return with a new wave of attacks after a certain\r\nperiod.\r\n3. 3 The group relies on readily available malicious utilities obtained from darknet forums, rather than\r\ndeveloping its own tools. The only work they do themselves is writing mechanisms of malware delivery to\r\nthe victim’s device and crafting targeted phishing emails.\r\nTo protect against such attacks, organizations need a comprehensive security solution that provides proactive\r\nthreat hunting, 24/7 monitoring, and incident detection. Our product line for businesses helps identify and prevent\r\nattacks of any complexity at an early stage. The campaigns in this article rely on phishing emails as the initial\r\nattack vector, highlighting the importance of regular employee training and awareness programs for corporate\r\nsecurity.\r\nIndicators of compromise\r\nFile hashes\r\nImplants\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 13 of 15\n\nf8df6cf748cc3cf7c05ab18e798b3e91\r\nef8c77dc451f6c783d2c4ddb726de111\r\nde26f488328ea0436199c5f728ecd82a\r\nd4b75a8318befdb1474328a92f0fc79d\r\nba40c097e9d06130f366b86deb4a8124\r\nb0844bb9a6b026569f9baf26a40c36f3\r\n89052678dc147a01f3db76febf8441e4\r\n842f8064a81eb5fc8828580a08d9b044\r\n7c527c6607cc1bfa55ac0203bf395939\r\n75fd9018433f5cbd2a4422d1f09b224e\r\n729c24cc6a49fb635601eb88824aa276\r\n69f6dcdb3d87392f300e9052de99d7ce\r\n5e17d1a077f86f7ae4895a312176eba6\r\n373ebf513d0838e1b8c3ce2028c3e673\r\n351260c2873645e314a889170c7a7750\r\n23ce22596f1c7d6db171753c1d2612fe\r\n0c03efd969f6d9e6517c300f8fd92921\r\n277acb857f1587221fc752f19be27187\r\nPayload\r\nfaa47ecbcc846bf182e4ecf3f190a9f4\r\nd8c6199b414bdf298b6a774e60515ba5\r\n9d3337f0e95ece531909e4c8d9f1cc55\r\n6bd84dfb987f9c40098d12e3959994bc\r\n6396908315d9147de3dff98ab1ee4cbe\r\n1e210fcc47eda459998c9a74c30f394e\r\nfe0438938eef75e090a38d8b17687357\r\nBait files\r\ne0f8d7ec2be638fbf3ddf8077e775b2d\r\ncdd4cfac3ffe891eac5fb913076c4c40\r\nb57b13e9883bbee7712e52616883d437\r\na3f4e422aecd0547692d172000e4b9b9\r\n9871272af8b06b484f0529c10350a910\r\n97b19d9709ed3b849d7628e2c31cdfc4\r\n8e960334c786280e962db6475e0473ab\r\n76e7cbab1955faa81ba0dda824ebb31d\r\n7140dbd0ca6ef09c74188a41389b0799\r\n5c3394e37c3d1208e499abe56e4ec7eb\r\n47765d12f259325af8acda48b1cbad48\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 14 of 15\n\n3e6cf927c0115f76ccf507d2f5913e02\r\n32da6c4a44973a5847c4a969950fa4c4\r\nMalicious domains\r\ntestdomain123123[.]shop\r\naverageorganicfallfaw[.]shop\r\ndistincttangyflippan[.]shop\r\nmacabrecondfucews[.]shop\r\ngreentastellesqwm[.]shop\r\nstickyyummyskiwffe[.]shop\r\nsturdyregularrmsnhw[.]shop\r\nlamentablegapingkwaq[.]shop\r\ninnerverdanytiresw[.]shop\r\nstandingcomperewhitwo[.]shop\r\nuniedpureevenywjk[.]shop\r\nspotlessimminentys[.]shop\r\nspecialadventurousw[.]shop\r\nstronggemateraislw[.]shop\r\nwillingyhollowsk[.]shop\r\nhandsomelydicrwop[.]shop\r\nsoftcallousdmykw[.]shop\r\nSource: https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nhttps://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/" ], "report_names": [ "115663" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "d18b9735-1af7-433c-a582-a01886bc5e3f", "created_at": "2024-10-25T02:02:07.582653Z", "updated_at": "2026-04-10T02:00:04.569471Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "ETDA:Awaken Likho", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c6d22751-e854-47de-a33d-2adf0058683e", "created_at": "2025-03-03T02:02:00.191696Z", "updated_at": "2026-04-10T02:00:04.534478Z", "deleted_at": null, "main_name": "Angry Likho", "aliases": [], "source_name": "ETDA:Angry Likho", "tools": [ "Lumma Stealer", "LummaC2" ], "source_id": "ETDA", "reports": null }, { "id": "ce6c9df9-bf82-4e6c-b355-9285463a37c8", "created_at": "2025-03-07T02:00:03.792481Z", "updated_at": "2026-04-10T02:00:03.818734Z", "deleted_at": null, "main_name": "Angry Likho", "aliases": [ "Sticky Werewolf" ], "source_name": "MISPGALAXY:Angry Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "90074ca4-8a4a-42dc-a395-25db4f44c1a4", "created_at": "2024-10-08T02:00:04.462582Z", "updated_at": "2026-04-10T02:00:03.722048Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "MISPGALAXY:Awaken Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433971, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/acc19fdf0e1bb046b0d3f6207a6c5453d294c07e.pdf", "text": "https://archive.orkl.eu/acc19fdf0e1bb046b0d3f6207a6c5453d294c07e.txt", "img": "https://archive.orkl.eu/acc19fdf0e1bb046b0d3f6207a6c5453d294c07e.jpg" } }