Cybersecurity experts from Kaspersky’s Securelist have recently spotlighted a resurgent cyber espionage group identified as Angry Likho APT, also referred to by some security experts as Sticky Werewolf. This group has intensified its cyberattack activities, predominantly targeting organizations within Russia and Belarus.
Active since 2023, Angry Likho APT exhibits procedural similarities to a previously tracked group named Awaken Likho. The newly resurfaced group is implicated in cyber intrusions aimed at government institutions and major corporate contractors in these regions. Their modus operandi includes highly focused spear-phishing attacks directed specifically at employees of significant entities, such as governmental agencies and their service providers.
The phishing schemes employed by Angry Likho APT typically involve carefully crafted emails that deliver malicious RAR files, which conceal harmful shortcut files alongside ostensibly benign documents. Upon the extraction and execution of these files, a sophisticated infection chain is initiated, ultimately deploying a stealer malware known as Lumma Stealer.
The phishing content crafted by the group is notable for being executed in fluent Russian, an indication that the attackers are likely native speakers. While most victims are situated in Russia and Belarus, there have been isolated cases of incidental targets located in other countries, potentially including cybersecurity researchers and users of anonymity networks such as Tor and VPNs.
In June 2024, technical analyses conducted by Securelist revealed a new implant associated with Angry Likho APT, designated as FrameworkSurvivor.exe. Utilizing the legitimate Nullsoft Scriptable Install System, this implant operates as a self-extracting archive that, upon activation, retrieves files into a designated folder labeled $INTERNET_CACHE. It subsequently executes a heavily obfuscated command file, Helping.cmd, which launches a malicious AutoIt script to inject the Lumma stealer malware into the targeted system.
The Lumma stealer malware is designed to extract sensitive information from compromised devices. It accumulates system data, details on installed software, and personal information, including cookies, usernames, passwords, and banking information. Additionally, it targets data from major web browsers like Chrome, Firefox, and Opera, as well as cryptocurrency wallets and extensions such as MetaMask and Authenticator.
Recent activity disclosed by Russian cybersecurity firm F6, formerly known as F.A.C.C.T, highlighted continued operations of Angry Likho APT, with reports from January 2025 indicating that the group has employed image files—such as test.jpg and test2.jpg—carrying Base64-encoded malicious payloads, a technique already observed in 2024. Analysts have also discovered new command servers linked to Angry Likho, including aliases like averageorganicfallfawshop and distincttangyflippanshop. Further exploration of these servers revealed over 60 malicious implants, suggesting a concerted effort by the group to expand its infrastructure to persist against analysis and detection efforts.
The ongoing research underscores that Angry Likho APT maintains a consistent operational pattern, albeit with incremental adjustments. The core elements of their attacks—targeted phishing emails, self-extracting archives, and the deployment of data-stealing malware—remain largely unchanged, indicating a well-defined and methodical approach to cyber espionage. As cybersecurity risks evolve, understanding adversarial tactics through the lens of the MITRE ATT&CK framework can provide vital insights into how these types of attacks may be executed and mitigated.
