216.73.217.22

New wave of targeted attacks of the Angry Likho APT on Russian organizations

· Published 24/02/2025 09:02 · Modified 24/02/2025 09:39

Export JSON

Essential information

Published
24/02/2025 09:02
Modified
24/02/2025 09:39
Tags
2025-02-24 apt autoit lumma trojan russia stealer targeted attacks
Related entities
30 observables, 1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 3 others

Description

The Angry Likho group has launched a new wave of primarily against Russian organizations. The group employs spear-phishing emails with malicious attachments as the initial attack vector. A previously unknown implant was discovered, utilizing a self-extracting archive and scripts to deploy the . The malware exfiltrates sensitive data, including browser information, cryptocurrency wallets, and authentication details. Hundreds of victims have been identified, mostly in and Belarus. The group's tactics remain consistent, with periodic pauses in activity followed by new attack waves. They rely on readily available malicious utilities rather than developing custom tools.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (30)

  • https://testdomain123123.shop/FrameworkSurvivor.exe
  • willingyhollowsk.shop
  • testdomain123123.shop
  • uniedpureevenywjk.shop
  • stronggemateraislw.shop
  • spotlessimminentys.shop
  • specialadventurousw.shop
  • softcallousdmykw.shop
  • handsomelydicrwop.shop
  • averageorganicfallfaw.shop
  • sturdyregularrmsnhw.shop
  • stickyyummyskiwffe.shop
  • standingcomperewhitwo.shop
  • macabrecondfucews.shop
  • lamentablegapingkwaq.shop
  • innerverdanytiresw.shop
  • greentastellesqwm.shop
  • distincttangyflippan.shop
  • ce8ec776eb22c2bf9ec25fe36bd0dfa6617e4926103358b055fd55cdf7912328
  • d2140ab69551f9b5d5ccda0fcea9415561b80f13ad32c061989975262d72f1e5
  • aca207b6cc683f93861e953d2e8100f21f72c875ade84c7c4584d39cae49b738
  • 80f59439f0d76b5e7b1331051da100022ac68639be8b16958a786f4cb5fd33a2
  • 086a0a68d3f8cbf4d07a7ea2c8d1e593d28de8b9cc7fa1fc144fa5e96333a1e1
  • 82679512fa82267d64300db7d2d8b747dcb2f5c8c48e0ef8e92b2abb3c08c641
  • 9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41
  • 217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab
  • 05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9
  • e50987f5f13de4a552778a691032d9fce3a102bfad3fb5b7edc4c48d2aa3b4f2
  • 078859c7dee046b193786027d5267be7724758810bdbc2ac5dd6da0ebb4e26bb
  • 9162ccb4816d889787a7e25ba680684afca1d7f3679c856ceedaf6bf8991e486

Intrusion sets (APT) (1)

  • Angry Likho
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 10:14 · Modified 21/12/2025 10:14

Techniques (MITRE) (13)

Malware (1)

  • Lumma Trojan
    Family
    Published 24/02/2025 09:02 · Modified 24/02/2025 09:02

Others (3)

  • Belarus
  • Russian Federation
  • Government

External references