New wave of targeted attacks of the Angry Likho APT on Russian organizations

Feb. 24, 2025, 9:39 a.m.

Description

The Angry Likho APT group has launched a new wave of targeted attacks primarily against Russian organizations. The group employs spear-phishing emails with malicious attachments as the initial attack vector. A previously unknown implant was discovered, utilizing a self-extracting archive and AutoIt scripts to deploy the Lumma Trojan stealer. The malware exfiltrates sensitive data, including browser information, cryptocurrency wallets, and authentication details. Hundreds of victims have been identified, mostly in Russia and Belarus. The group's tactics remain consistent, with periodic pauses in activity followed by new attack waves. They rely on readily available malicious utilities rather than developing custom tools.

External References

https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663
https://otx.alienvault.com/pulse/67bc359370c4eac6ea0f62f5
Tags
apt
russia
stealer
autoit
targeted attacks
2025-02-24
lumma trojan

Date

  • Created: Feb. 24, 2025, 9:02 a.m.
  • Published: Feb. 24, 2025, 9:02 a.m.
  • Modified: Feb. 24, 2025, 9:39 a.m.

Indicators

  • ce8ec776eb22c2bf9ec25fe36bd0dfa6617e4926103358b055fd55cdf7912328
  • d2140ab69551f9b5d5ccda0fcea9415561b80f13ad32c061989975262d72f1e5
  • aca207b6cc683f93861e953d2e8100f21f72c875ade84c7c4584d39cae49b738
  • 80f59439f0d76b5e7b1331051da100022ac68639be8b16958a786f4cb5fd33a2
  • 086a0a68d3f8cbf4d07a7ea2c8d1e593d28de8b9cc7fa1fc144fa5e96333a1e1
  • 82679512fa82267d64300db7d2d8b747dcb2f5c8c48e0ef8e92b2abb3c08c641
  • 9eddffbef4d9d7329d062db0a93c933104d00f12106bf91fa3b58e8f8b19aa41
  • 217196571088cfd63105ae836482d742befcb7db37308ce757162c005a5af6ab
  • 05880ff0442bbedc8f46076ef56d4d1ffeda68d9ef26b659c4868873fa84c1a9
  • e50987f5f13de4a552778a691032d9fce3a102bfad3fb5b7edc4c48d2aa3b4f2
  • 078859c7dee046b193786027d5267be7724758810bdbc2ac5dd6da0ebb4e26bb
  • 9162ccb4816d889787a7e25ba680684afca1d7f3679c856ceedaf6bf8991e486
  • https://testdomain123123.shop/FrameworkSurvivor.exe
  • willingyhollowsk.shop
  • testdomain123123.shop
  • uniedpureevenywjk.shop
  • stronggemateraislw.shop
  • spotlessimminentys.shop
  • specialadventurousw.shop
  • softcallousdmykw.shop
  • handsomelydicrwop.shop
  • averageorganicfallfaw.shop
  • sturdyregularrmsnhw.shop
  • stickyyummyskiwffe.shop
  • standingcomperewhitwo.shop
  • macabrecondfucews.shop
  • lamentablegapingkwaq.shop
  • innerverdanytiresw.shop
  • greentastellesqwm.shop
  • distincttangyflippan.shop
Download all indicators here!

Attack Patterns

  • Lumma Trojan
  • Angry Likho
  • T1552.001
  • T1059.005
  • T1114
  • T1087
  • T1056.001
  • T1555
  • T1204.002
  • T1005
  • T1566.001
  • T1083
  • T1055
  • T1027
  • T1041

Additional Informations

  • Government
  • Belarus
  • Russian Federation