Cybersecurity researchers at Kaspersky’s Securelist have uncovered the reemergence of a cyber espionage group known as Angry Likho APT (also known as Sticky Werewolf by some security vendors) launching a new wave of cyberattacks, primarily targeting organizations in Russia and Belarus. The group, active since 2023, shares similarities with the previously analyzed Awaken Likho group and is associated with cyber attacks against government agencies and large corporate contractors in Russia and parts of Belarus.
Angry Likho APT has a history of sending highly targeted spear-phishing emails to employees of large organizations, including government agencies and their contractors. These emails contain malicious RAR files with harmful shortcut files and seemingly harmless documents. Once opened, the archive initiates a complex infection chain, ultimately deploying a stealer malware known as Lumma Stealer. The phishing emails and bait files used by the group are written in fluent Russian, indicating that the attackers are likely native Russian speakers. While most victims are located in Russia and Belarus, some incidental targets in other countries, possibly researchers or users of Tor and VPN networks, have also been identified.
In June 2024, researchers at Securelist discovered a new implant associated with Angry Likho APT called FrameworkSurvivor.exe. This implant, created using the legitimate Nullsoft Scriptable Install System, functions as a self-extracting archive (SFX). Upon execution, it extracts files into a folder named $INTERNET_CACHE and launches a heavily obfuscated command file, Helping.cmd. This file then executes a malicious AutoIt script, which injects the Lumma stealer into the system.
The Lumma stealer is designed to gather sensitive data from infected devices, including system information, installed software details, personal data such as cookies, usernames, passwords, banking card numbers, and connection logs. It also targets data from popular browsers like Chrome, Firefox, and Opera, as well as cryptocurrency wallets and extensions like MetaMask and Authenticator.
In January 2025, Russian cybersecurity firm F6 (previously F.A.C.C.T) reported new attacks from Angry Likho APT involving image files containing Base64-encoded malicious payloads, a tactic previously observed in 2024. Researchers also identified several new command servers used by the group, including domains like averageorganicfallfawshop and distincttangyflippanshop. Analysis of these servers revealed over 60 malicious implants, some sharing the same payload, indicating that the group is actively expanding its infrastructure to avoid detection.
Despite these developments, the research indicates that Angry Likho APT continues to operate in a consistent manner, with minor variations in their tactics. Their approach remains focused on targeted phishing emails, self-extracting archives, and a final payload aimed at stealing sensitive data. The group’s emphasis on persistence and adaptability showcases the ongoing threat posed by cyber espionage groups like Angry Likho APT in the ever-evolving landscape of cybersecurity.