Spring harvest - Leek Likho group's campaign to hunt for documents

216.73.216.6

Spring harvest - Leek Likho group's campaign to hunt for documents

· Published 18/05/2026 19:45 · Modified 18/05/2026 19:56

Essential information

Published: 18/05/2026 19:45
Modified: 18/05/2026 19:56
Tags: 2026-05-18 dropbox likho messenger app skycloak telegram
Related entities: 32 observables, 3 techniques (mitre), 1 others

Description

The Leek Likho group (also known as SkyCloak or Vortex Werewolf) was first described by researchers in 2025, when a series of targeted attacks on public sector organizations in Russia and Belarus became known. This campaign was called Operation SkyCloak. We observed the continuation of its activity during February-April 2026, and also discovered a new technique that attackers use to filter files.

External references

https://otx.alienvault.com/pulse/6a0b6c5acfd23c54ac29ea40
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/

Spring harvest - Leek Likho group's campaign to hunt for documents

Essential information

Description

Related entities

Observables (32)

Techniques (MITRE) (3)

Others (1)

External references