Angry Likho APT Group Intensifies Cyberattacks: Targeting Credentials, Banking Data, and Crypto Wallets

By /

Listen to this Post

Cybersecurity researchers have identified an uptick in attacks from the advanced persistent threat (APT) group known as Angry Likho, also referred to as Sticky Werewolf by some analysts. This highly sophisticated cybercriminal group is primarily targeting large organizations, government agencies, and contractors, with a focus on stealing sensitive user data—including browser credentials, banking information, and cryptocurrency wallets.

Operating primarily in Russia and Belarus, Angry Likho employs evolving techniques that make detection and mitigation increasingly difficult. Recent investigations reveal a shift in their attack strategy, including the use of self-extracting archives (SFX) and AutoIt scripts to deploy malware. Their primary tool of choice, the Lumma stealer, is capable of extracting credentials from popular browsers, financial accounts, and password managers.

With a resurgence in January 2025, the group has started embedding payloads in image files, further enhancing their evasion tactics. Security experts strongly advise organizations to implement advanced threat detection solutions and conduct employee training to defend against these persistent cyber threats.

Angry Likho’s Attack Strategies and Recent Developments

Evolving Techniques and Payloads

Angry Likho has been active since 2023, continuously refining its attack methods. The primary vector remains spear-phishing emails, which trick victims into executing malware-laden attachments. These emails often contain malicious RAR archives with:

  • Two harmful LNK files that execute scripts upon opening.
  • A bait document designed to appear legitimate, often written in fluent Russian.

In June 2024, the group introduced a new implant called “FrameworkSurvivor.exe”, which is delivered through self-extracting archives (SFX) built using the Nullsoft Scriptable Install System. Once executed, the malware:

1. Extracts obfuscated scripts onto the victim’s system.

2. Runs AutoIt-based scripts to initiate further infection.

  1. Deploys Lumma stealer malware to collect credentials and banking details.

Lumma Stealer: A Powerful Data Theft Tool

The Lumma stealer malware is a sophisticated information stealer that:

  • Extracts cookies, usernames, passwords, and banking details from 11 major browsers, including Chrome, Edge, Firefox, and Brave.
  • Targets cryptocurrency wallets such as Binance and MetaMask.
  • Steals credentials from remote access tools like AnyDesk.

– Compromises password managers like KeePass.

Indicators of Compromise and Command Servers

Angry Likho uses a network of command-and-control (C2) servers to exfiltrate stolen data. Over 60 implants have been identified connecting to malicious domains, including:

– `averageorganicfallfaw[.]shop`

– `distincttangyflippan[.]shop`

These domains are encrypted within the malware code to avoid easy detection.

In January 2025, security researchers uncovered new payloads hidden inside image files, suggesting an evolution of their evasion techniques. This aligns with the group’s past methods of embedding malicious code into seemingly harmless file types.

Attribution and Cybersecurity Measures

Experts attribute these attacks to Angry Likho with high confidence, linking them to the Awaken Likho group based on shared tactics, techniques, and procedures (TTPs). The attackers rely on:

  • Darknet-sourced malware utilities to build their attack tools.

– Sophisticated delivery mechanisms to avoid detection.

Organizations must implement strong cybersecurity defenses, including:

✅ Employee training on phishing and social engineering threats.
✅ Advanced endpoint detection to monitor for unusual activity.
✅ Proactive threat hunting to identify and block new attack vectors.
✅ Network segmentation to limit the spread of malware in case of an infection.

What Undercode Say: The Implications of Angry Likho’s Activity

Angry Likho’s recent resurgence signals a critical cybersecurity risk, particularly for large organizations, financial institutions, and government agencies. The tactics employed by this group highlight several concerning trends in cyber warfare:

1. The Growing Sophistication of Cybercriminals

Angry Likho demonstrates how APT groups continuously refine their techniques, making detection harder than ever. Their ability to:

– Embed malware inside legitimate-looking files.

– Encrypt command server addresses within their payloads.

– Leverage self-extracting archives to bypass security measures.

…suggests that traditional antivirus solutions are not enough. Organizations must invest in behavior-based detection tools to flag abnormal activities rather than relying solely on signature-based defenses.

2. The Financial Impact of Credential Theft

By targeting banking credentials and cryptocurrency wallets, Angry Likho is directly monetizing stolen data. Once credentials are stolen:

  • Attackers can drain bank accounts or conduct unauthorized transactions.
  • Crypto assets can be transferred instantly, making fund recovery nearly impossible.
  • Dark web marketplaces facilitate the rapid sale of stolen data to other cybercriminals.

3. The Rise of Supply Chain Attacks

Since Angry Likho primarily targets employees within large organizations, there is a risk of supply chain attacks. If a compromised employee has access to critical systems, attackers can:

  • Inject malware into corporate networks through legitimate access points.

– Move laterally across an organization’s infrastructure.

  • Gain persistence within systems for long-term espionage or ransomware deployment.

4. The Shift Toward Multi-Stage Attacks

The FrameworkSurvivor.exe implant represents a multi-stage attack process:

  • The initial phishing email delivers a disguised payload.
  • Scripts execute hidden commands to deploy secondary malware.

– Lumma stealer extracts and exfiltrates sensitive data.

This layered approach makes it harder for security teams to track the full attack chain, necessitating the use of AI-driven threat detection and sandbox analysis tools to deconstruct malware behavior.

5. The Urgency of Strengthening Cyber Hygiene

To counter threats from groups like Angry Likho, organizations must:

🔹 Adopt Zero Trust security models – ensuring every access request is verified.
🔹 Regularly update security policies – phishing training should be mandatory.
🔹 Deploy endpoint detection & response (EDR) – catching threats in real time.

🔹 Monitor dark web activity

References:

Reported By: https://cyberpress.org/angry-likho-apt-attacks-users/
Extra Source Hub:
https://www.medium.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: