The advanced persistent threat (APT) group Angry Likho, also known by some as “Sticky Werewolf,” has intensified its cyberattacks, focusing on stealing sensitive user data such as browser-stored credentials, banking card information, and cryptocurrency wallet details.
This group has been actively targeting employees of large organizations, including government agencies and contractors, primarily in Russia and Belarus.
The attacks have also inadvertently impacted researchers and users of sandbox environments.
Evolving Techniques and Malicious Payloads
Angry Likho’s operations were first observed in 2023, with its tactics evolving over time.
The group employs spear-phishing emails as its primary attack vector, often containing malicious RAR archives.
These archives typically include two harmful LNK files and a legitimate-looking bait document designed to lure victims into executing the malware.
The bait documents are crafted in fluent Russian, suggesting that the attackers are likely native Russian speakers.
In June 2024, Angry Likho introduced a new implant named “FrameworkSurvivor.exe,” distributed via self-extracting archives (SFX) created using the Nullsoft Scriptable Install System.
These SFX archives execute obfuscated scripts to extract files into the victim’s system, launch AutoIt-based scripts, and ultimately deploy the Lumma stealer malware.
The Lumma stealer is a powerful data exfiltration tool capable of collecting cookies, usernames, passwords, banking details, and connection logs from 11 popular browsers such as Chrome, Edge, Firefox, and Brave.
It also targets cryptocurrency wallets like Binance and MetaMask, remote access tools like AnyDesk, and password managers like KeePass.
Indicators of Compromise and Command Servers
The malware communicates with attacker-controlled command servers to exfiltrate stolen data.
Investigations revealed over 60 malicious implants connected to domains such as “averageorganicfallfaw[.]shop” and “distincttangyflippan[.]shop.”
These domains are encrypted within the malware code to evade detection.
Recent activity in January 2025 indicates a resurgence of Angry Likho’s campaigns. New payloads encoded in image files were discovered in repositories linked to the group.
This aligns with their previous techniques of embedding malicious code within seemingly innocuous files.
Secure List researchers attribute these attacks to Angry Likho with high confidence due to shared tactics and tools with earlier campaigns by the related Awaken Likho group.
The attackers rely on publicly available malicious utilities sourced from darknet forums while crafting sophisticated delivery mechanisms for their malware.
Angry Likho’s primary goal remains the theft of sensitive data and establishing control over infected devices.
Their continued activity underscores the need for robust cybersecurity measures, including employee training on phishing threats and proactive threat detection systems.
Organizations are advised to implement comprehensive security solutions capable of detecting complex attack vectors early on to mitigate risks posed by groups like Angry Likho.
 group Angry Likho, also known by some as "Sticky Werewolf," has intensified its cyberattacks.){kind=link}