Angry Likho: Old beasts in a new forest

Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors. Given that the bait files are written in fluent Russian, we infer that the attackers are likely native Russian speakers.

We’ve identified hundreds of victims of this attack in Russia, several in Belarus, and additional incidents in other countries. We believe that the attackers are primarily targeting organizations in Russia and Belarus, while the other victims were incidental—perhaps researchers using sandbox environments or exit nodes of Tor and VPN networks.

At the beginning of 2024, several cybersecurity vendors published reports on Angry Likho. However, in June, we detected new attacks from this group, and in January 2025, we identified malicious payloads confirming their continued activity at the moment of our research.

Technical details

Initial attack vector

The initial attack vector used by Angry Likho consists of standardized spear-phishing emails with various attachments. Below is an example of such an email containing a malicious RAR archive.

Contents of spear-phishing email inviting the victim to join a videoconference

The archive includes two malicious LNK files and a legitimate bait file.

Bait document from spear-phishing email inviting the victim to join a videoconference

The content of this document is almost identical to the body of the phishing email.

This example illustrates how the attackers gain access to victims’ systems. All these emails (and others like them in our collection) date back to April 2024. We observed no further activity from this group until we discovered an unusual implant, described below. Based on our telemetry, the attackers operate periodically, pausing their activities for a while before resuming with slightly modified techniques.

Previously unknown Angry Likho implant

In June 2024, we discovered a very interesting implant associated with this APT. The implant was distributed under the name FrameworkSurvivor.exe from the following URL:

hxxps://testdomain123123[.]shop/FrameworkSurvivor.exe

This implant was created using the legitimate open-source installer, Nullsoft Scriptable Install System, and functions as a self-extracting archive (SFX). We’ve previously observed this technique in multiple Awaken Likho campaigns.

Below are the contents of the archive, opened using the 7-Zip archiver.

Contents of the malicious SFX archive

The archive contains a single folder, $INTERNET_CACHE, filled with many files without extensions.

Installation script of the self-extracting archive

To understand how the SFX archive infects a system when launched, we had to find and analyze its installation script. The latest versions of 7-Zip do not allow extraction of this script, but it can be retrieved using older versions. We used 7-Zip version 15.05 (the last version supporting extraction of the installation script):

Contents of the malicious SFX archive opened in 7-Zip version 15.05

The installation script was named [NSIS].nsi, and was partially obfuscated.

Obfuscated contents of the installation script

After deobfuscation, we were able to determine its primary purpose:

Deobfuscated installation script from the malicious SFX implant

The script searches for the folder on the victim’s system using the $INTERNET_CACHE macro, extracts all the files from the archive into it, renames the file “Helping” to “Helping.cmd”, and executes it.

Helping.cmd command file

Below are the contents of the Helping.cmd file:

Contents of the Helping.cmd file

This file is heavily obfuscated, with several meaningless junk lines inserted between each actual script command. Once deobfuscated, the script’s logic becomes clear. Below is the code, with some lines modified for readability:

Deobfuscated Helping.cmd

The Helping.cmd script launches a legitimate AutoIt interpreter (Child.pif) with the file i.a3x as a parameter. The i.a3x file contains a compiled AU3 script. With that in mind, we can assume that this script implements the core logic of the malicious implant.

AU3 script

To recover the original AU3 file used when creating the i.a3x file, we created a dummy executable with a basic AutoIt script, swapped its content with i.a3x, and used a specialized tool to extract the original AU3 script.
We ended up with the original AU3 file:

Restored AU3 script

The script is heavily obfuscated, with all strings encrypted. After deobfuscating and decrypting the code, we analyzed it. The script begins with a few verification procedures:

The AU3 script checks the environment

The script checks for artifacts associated with emulators and research environments of security vendors. If a match is found, it either terminates or executes with a 10,000 ms delay to evade detection.

Interestingly, we’ve seen similar checks in the Awaken Likho implants. This suggests that the attackers behind these two campaigns share the same technology or are the same group using different tools for different targets and tasks.

The script next sets an error-handling mode by calling SetErrorMode() from the kernel32.dll with the flags SEM_NOALIGNMENTFAULTEXCEPT, SEM_NOGPFAULTERRORBOX, and SEM_NOOPENFILEERRORBOX, thus hiding system error messages and reports. If this call fails, the script terminates.

Afterward, the script deletes itself from disk by calling FileDelete(“i”) and generates a large text block, as shown below.

Code for generating “shellcode”

This block is presumably shellcode that will be loaded into memory and executed. However, it is also packed and encrypted. Once unpacked and decrypted, the AU3 script attempts to inject the malicious payload into the legitimate AutoIt process.

Final activity of the AU3 script

Main payload

To obtain the shellcode, we saved a dump of the decrypted and unpacked payload once the AU3 malicious script had fully processed it. After removing unnecessary bytes from the dump, we recovered the original payload of the attack. It turned out to be not shellcode but a full-fledged MZ PE executable file.

The decrypted and unpacked payload—an MZ PE file

Our products detect this payload with the following verdicts:

HEUR:Trojan.MSIL.Agent.pef
HEUR:Trojan.Win32.Generic

We examined this payload and concluded that it is the Lumma Trojan stealer (Trojan-PSW.Win32.Lumma).

The Lumma stealer gathers system and installed software information from the compromised devices, as well as sensitive data such as cookies, usernames, passwords, banking card numbers, and connection logs. It also steals data from 11 browsers, including Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, Mozilla Firefox and Waterfox, as well as cryptocurrency wallets such as Binance and Ethereum. Additionally, it exfiltrates data from cryptowallet browser extensions (MetaMask) and authenticators (Authenticator), along with information from applications such as the remote access software AnyDesk and the password manager KeePass.

Command servers

This sample contains encoded and encrypted addresses of command servers. Using a simple decryption procedure in the executable file code, we restored the original domain names used as command servers.

averageorganicfallfaw[.]shop
distincttangyflippan[.]shop
macabrecondfucews[.]shop
greentastellesqwm[.]shop
stickyyummyskiwffe[.]shop
sturdyregularrmsnhw[.]shop
lamentablegapingkwaq[.]shop
Innerverdanytiresw[.]shop
standingcomperewhitwo[.]shop

By identifying the command server names from this malware variant, we were able to identify other related samples. As a result, we discovered over 60 malicious implants. Some of them had the same payload, and we managed to find additional attacker-controlled command servers (the addresses listed below were used in the identified samples alongside the original command servers):

uniedpureevenywjk[.]shop
spotlessimminentys[.]shop
specialadventurousw[.]shop
stronggemateraislw[.]shop
willingyhollowsk[.]shop
handsomelydicrwop[.]shop
softcallousdmykw[.]shop

We’re convinced that the main objectives of this APT group are to steal sensitive data using stealers and establish full control over infected machines via malicious remote administration utilities.

New activity

We’ve been tracking the attacks of this campaign since June 2024. However, in January 2025, the attackers showed a new surge in activity, as reported by our colleagues from F6 (previously known as F.A.C.C.T.). We analyzed the indicators of compromise they published and identified signs of a potential new wave of attacks, likely in preparation since at least January 16, 2025:

Files found in Angry Likho’s payload repositories

We managed to download malicious files hosted in repositories seen in the January Angry Likho attack while they were still accessible. Analysis of the files test.jpg and test2.jpg revealed that they contained the same .NET-based payload, encoded using Base64. Last year, we documented Angry Likho attacks that used image files containing malicious code. Moreover, the filenames match those of the samples we recently discovered.

This further confirms that the Angry Likho group, responsible for these attacks, remains an active threat. We are continuing to monitor this threat and providing up-to-date cyber intelligence data about it and the TTPs used by the group.

Victims

At the time of our investigation, our telemetry data showed hundreds of victims in Russia and several in Belarus. Most of the SFX archives had filenames and bait documents in Russian, thematically linked to government institutions in Russia. These institutions and their contractors are the primary targets of this campaign.

Attribution

We attribute this campaign to the APT group Angry Likho with a high degree of confidence. It shares certain similarities with findings from our colleagues at BI.ZONE and F6, as well as previous attacks by the group:

The same initial implant structure (an archive with similar contents, sent in an email).
Similar bait documents with the same naming patterns and themes, mostly written in Russian.
Command files and AutoIt scripts used to install the implant are obfuscated similarly. Newer versions contain more sophisticated installation scripts, with extra layers of obfuscation to complicate analysis.
The implant described in this report contains a known payload—the Lumma stealer (Trojan-PSW.Win32.Lumma). We have not previously seen this tool used in Angry Likho campaigns, but earlier attacks showed similar data exfiltration tactics, suggesting the group is still targeting cryptowallet files and user credentials.

Conclusion

We are continuing to monitor the activity of the Angry Likho APT, which targets Russian organizations. The group’s latest attacks use the Lumma stealer, which collects a vast amount of data from infected devices, including browser-stored banking details and cryptowallet files. As before, the complex infection chain was contained in a self-extracting archive distributed via email. We believe that the attackers crafted spear-phishing emails tailored to specific users, attaching bait files designed to attract their interest. Additionally, we identified more malicious samples linked to this campaign based on common command servers and repositories.
Let’s sum up by highlighting the notable features of this campaign and other similar ones:

The attack techniques remain relatively consistent over time, with only minor modifications. Despite this, the attackers are successfully achieving their objectives.
The attackers occasionally pause their activity, only to return with a new wave of attacks after a certain period.
The group relies on readily available malicious utilities obtained from darknet forums, rather than developing its own tools. The only work they do themselves is writing mechanisms of malware delivery to the victim’s device and crafting targeted phishing emails.

To protect against such attacks, organizations need a comprehensive security solution that provides proactive threat hunting, 24/7 monitoring, and incident detection. Our product line for businesses helps identify and prevent attacks of any complexity at an early stage. The campaigns in this article rely on phishing emails as the initial attack vector, highlighting the importance of regular employee training and awareness programs for corporate security.

Indicators of compromise

File hashes