Spring harvest - Leek Likho group's campaign to hunt for documents

May 18, 2026, 7:56 p.m.

Description

The Leek Likho group (also known as SkyCloak or Vortex Werewolf) was first described by researchers in 2025, when a series of targeted attacks on public sector organizations in Russia and Belarus became known. This campaign was called Operation SkyCloak. We observed the continuation of its activity during February-April 2026, and also discovered a new technique that attackers use to filter files.

External References

https://otx.alienvault.com/pulse/6a0b6c5acfd23c54ac29ea40
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
Tags
dropbox
telegram
2026-05-18
likho
messenger app
skycloak

Date

  • Created: May 18, 2026, 7:45 p.m.
  • Published: May 18, 2026, 7:45 p.m.
  • Modified: May 18, 2026, 7:56 p.m.

Indicators

  • 1ba396a8cd9af661e0a5ceb1107c787290cff3ab05b70a9c5154f4e040f716be
  • 76542efd8113416322268676c8c32fc900661fe17db68a1ac9c2bcdcd936a7a6
  • 42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066
  • f78d87ff967bbdebbc43c58c2b5376522d2bbc975c98727c75bf28e2eb23ffd0
  • 1fbdb99357ace6d6db830c63850a6e8a4ea3607776c4668feb135f3ff0d95151
  • 85fba8ba8377974392b9147a2adf2d2955e9dfbb8d9e0659c7f90487b1105ae7
  • a43e2231b200b294b35dfb50fad446a0a7e42783c4f541981bc85a8930fb670a
  • d38de5d71d04dcd70039b897c2edbc0981ba8940c249872f7c3a77b60abb3955
  • 0c6c020a92517dcd757939c4f907550dbff08f133311d74928f27cf4133db7e9
  • de73c1b5597f091b5e42e5d5b4dc40a46ddee4682308f5bbe010a32ede57b111
  • 1280cca4b520bfd018296c4d1645b7c9c8c7c4608752506285dad0e251b22e32
  • 06845a04d2329ca39c8378cb83118f6ffd278805f5b229cb65c21c4ca989fd56
  • 44abef9297d6573674b27416435c891317cfb9de8753d075806d5777563e6cc2
  • 6efdf511512be5e256951813f2008ce2c4572d6ef191c69a62b7555aa33255ac
  • bbcdb82918f0decb1d6e20c90e872175cf278006948c5995ffd88033f56a1b71
  • ddaef2e9377ce89222c3eadfb5b3c90e9a99f3d2d0635bbf5e7d8681eae051c7
  • 1e6ffcefe2561cbaaae6ff7a21fd5f90098610fda4d39889a8f6d4a510c20c10
  • 8f9029a5d5351078fc2f0b5499557c0f969b337817947314e37b2c7407ae2300
  • fc8a6cc400dd822b6f5fc40c85a547cf7f266169edddb84a90f4b3f25956318c
  • 111e42c31f8e4ae3764f339d7ad04b20bb21be5d97ede13aaa7c73e72cb7549d
  • 2727d521ef98815ba82b2c2cc504123db59e1e4df487e3d6253280d21d00020e
  • b4195e7584ac97d9c444ee6292160c80f9c889e6cba27cc656506d3c5fcffd48
  • d0b18d94c4abd7f0f3a3d07fd2172956f6ec9654b8cbf087954017dd92bd9e4f
  • 2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082
  • 8339333e1a1a8babc3fd72542e8fda58d19dd096cf2463867ca0328348338570
  • fe0d64d07ef03b2db6a7fa1ccbcc62c3f24f003d5f5726129ff22341321575b4
  • 0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5
  • 63297928883b0dc4e0735963dbcb2b2fa0c1e131af6d486f882070a6eb7e339a
  • 8f4836cca1850053e87a769a84baed3cdde060ad3fce26f101a20b37375835f1
  • f5f9f66d0fbc1ab7ad0efe82e0aa29e1665047e945c7b821bb4189901c57ef13
  • a2306445f6a9a9313ec3709c84bc3e932f75240fcaf2543bb1cdc3c362b64552
  • a79b5162f9a49df3db4f001325938b9dc7bdc471b71108ed178350c89252e3a5
Download all indicators here!

Attack Patterns

Additional Informations

  • Government