Cybersecurity researchers at Kaspersky’s Securelist have discovered a cyber espionage group referred to as Offended Likho APT (additionally known as Sticky Werewolf by some safety distributors) has reemerged with a brand new wave of cyberattacks, primarily concentrating on organizations in Russia and Belarus.
This group, which has been lively since 2023, shares similarities with the beforehand analyzed Awaken Likho group, and is linked to cyber assaults in opposition to authorities businesses and enormous company contractors in Russia and elements of Belarus.
Who Are They Concentrating on?
Offended Likho APT has a historical past of sending extremely focused spear-phishing emails, specializing in workers of enormous organizations, together with authorities businesses and their contractors. These messages include malicious RAR recordsdata that embody dangerous shortcut recordsdata together with an apparently innocent doc.
As soon as opened, the archive triggers a posh an infection chain, in the end deploying a stealer malware referred to as Lumma Stealer.
The group’s phishing emails and bait recordsdata are written in fluent Russian, suggesting the attackers are seemingly native Russian audio system. Whereas the vast majority of victims are in Russia and Belarus, some incidental targets have been recognized in different nations, probably researchers or customers of Tor and VPN networks.
In keeping with Securelist’s technical particulars put collectively in its blog post, in June 2024, researchers found a brand new implant related to Offended Likho APT, distributed beneath the identify FrameworkSurvivor.exe. This implant, created utilizing the reputable Nullsoft Scriptable Set up System, features as a self-extracting archive (SFX).
Upon execution, it extracts recordsdata right into a folder named $INTERNET_CACHE and launches a closely obfuscated command file, Serving to.cmd. This file, in flip, executes a malicious AutoIt script, which injects the Lumma stealer into the system.
What Does Lumma Stealer Do?
The Lumma stealer is designed to reap delicate information from contaminated units. It collects system info, put in software program particulars, and private information similar to cookies, usernames, passwords, banking card numbers, and connection logs. It additionally targets information from well-liked browsers like Chrome, Firefox, and Opera, in addition to cryptocurrency wallets and extensions like MetaMask and Authenticator.
Latest Exercise
In January 2025, Russian cybersecurity agency F6 ( (beforehand F.A.C.C.T) reported new assaults from Offended Likho APT. These assaults concerned picture recordsdata (e.g., check.jpg and test2.jpg) containing Base64-encoded malicious payloads, a tactic beforehand noticed in 2024.
Researchers additionally recognized a number of new command servers utilized by Offended Likho, together with domains like averageorganicfallfawshop and distincttangyflippanshop. By analyzing these servers, they uncovered over 60 malicious implants, a few of which shared the identical payload. This implies the group is actively increasing its infrastructure to evade evaluation and detection.
However, the analysis exhibits that Offended Likho continues to function persistently, although in a predictable method. Whereas they make small adjustments every time, their method stays the identical: focused phishing emails, a self-extracting archive, and a remaining payload designed to steal delicate information.
