Angry Likho

Angry Likho is an APT group monitored since 2023 and referred to by some vendors as Sticky Werewolf. Researchers classify it within the broader Likho malicious activity cluster because of strong similarities to Awaken Likho. The group conducts targeted attacks with compact infrastructure and a limited implant set, focusing on employees of large organizations, including government agencies and contractors. Based on telemetry and victimology, Angry Likho primarily targets organizations in Russia and Belarus, with hundreds of victims identified in Russia, several in Belarus, and additional incidental victims in other countries. Researchers inferred the operators are likely native Russian speakers because the bait files are written in fluent Russian. Angry Likho uses standardized spear-phishing emails with malicious attachments as its initial access vector. Observed lures included self-extracting archives and phishing archives containing malicious LNK files alongside legitimate bait documents. In a June 2024 case, the group distributed a payload as FrameworkSurvivor.exe, an NSIS self-extracting archive that unpacked files into the victim’s $INTERNET_CACHE folder, renamed a file to Helping.cmd, and executed it. The CMD stage was heavily obfuscated and launched a legitimate AutoIt interpreter with a compiled AutoIt script implementing the core malicious logic. That script performed anti-analysis checks for emulator and security research artifacts, delayed execution to evade detection, suppressed system error reporting via SetErrorMode, deleted itself from disk, generated an encrypted and packed payload, and attempted to inject it into a legitimate AutoIt process. Researchers recovered the final payload and identified it as the Lumma stealer. In this usage, Lumma collected system information, installed software data, cookies, usernames, passwords, banking card numbers, and connection logs, and targeted data from multiple browsers including Chrome, Chromium, Edge, Firefox, Waterfox, Brave, Vivaldi, Opera variants, and Kometa. It also stole data from Binance and Ethereum wallets, MetaMask browser extensions, authenticator applications, AnyDesk, and KeePass. Researchers recovered multiple command-and-control domains and, by pivoting on shared infrastructure, identified more than 60 related malicious implants. They also detected continued Angry Likho activity in June 2024 and additional payloads in January 2025, including Base64-encoded .NET payloads hidden in image files. Attribution to Angry Likho was made with high confidence based on shared implant structure, Russian-language bait themes, similarly obfuscated command files and AutoIt scripts, and overlapping tactics with prior campaigns and reporting from BI.ZONE and F6. Known aliases and related naming in the provided content: Sticky Werewolf; linked by researchers to the broader Likho cluster and noted as strongly resembling Awaken Likho.