Full Report
Kaspersky experts analyze the Angry Likho APT group's attacks, which use obfuscated AutoIt scripts and the Lumma stealer for data theft.
Analysis Summary
# Threat Actor: Angry Likho
## Attribution & Identity
* **Identification:** APT group monitored since 2023.
* **Attribution Inference:** Likely native Russian speakers based on the use of fluent Russian in bait files.
* **Associated Groups:** Bears a strong resemblance to Awaken Likho, classified within the Likho malicious activity cluster.
## Activity Summary
* **Monitoring Period:** Since 2023, with observed activity pauses and resumptions (e.g., attacks detected in June 2024, payloads identified in January 2025).
* **Campaign Style:** Attacks are characterized as targeted, utilizing more compact infrastructure and a limited range of implants compared to historical Likho activities.
* **Recent Operations:** Detected new attacks in June 2024, confirming activity through identified malicious payloads in January 2025.
## Tactics, Techniques & Procedures
* **Initial Access:** Standardized spear-phishing emails containing malicious RAR archives, designed to look like invitations for a videoconference, which include LNK files and a legitimate bait document.
* **Implant Delivery:** Use of a previously unknown implant named `FrameworkSurvivor.exe` delivered via a URL.
* **Execution Method:** The implant is delivered as a Self-Extracting Archive (SFX) created using Nullsoft Scriptable Installer System (NSIS), a technique previously seen in Awaken Likho campaigns.
* **Deployment Chain (SFX):** Extracts files into a `$INTERNET\_CACHE` folder, renames a file to `Helping.cmd`, and executes it.
* **Secondary Execution:** The `Helping.cmd` script launches a legitimate AutoIt interpreter (`Child.pif`) with an obfuscated/compiled AU3 script (`i.a3x`) as a parameter, which contains the core implant logic.
* **Evasion:** The AU3 script performs environmental checks to detect emulators and research environments, terminating or delaying execution (10,000 ms) if artifacts are found.
* **TTP Sharing:** The structure of environmental checks in the AU3 script mirrors checks seen in Awaken Likho implants, suggesting shared technology or group identity.
* **Code Obfuscation:** Heavy obfuscation used in the installation script (`[NSIS].nsi`) and the command file (`Helping.cmd`).
## Targeting
* **Sectors:** Large organizations, including government agencies and their contractors.
* **Geography:** Hundreds of victims identified in Russia, several in Belarus. Other victims observed are considered secondary/incidental (e.g., researchers using Tor/VPN exit nodes).
* **Victims:** Government agencies and their contractors in Russia and Belarus are the primary focus.
## Tools & Infrastructure
* **Malware Families:** `FrameworkSurvivor.exe` (unusual implant), AutoIt Interpreter used for final payload execution.
* **Infrastructure:** Compact infrastructure noted.
* **Distribution URL:** `hxxps://testdomain123123[.]shop/FrameworkSurvivor.exe`
* **Other Mentioned Infrastructure (Associated/Contextual):**
* `sturdyregularrmsnhw[.]shop`
* `lamentablegapingkwaq[.]shop`
* `innerverdanytiresw[.]shop`
* `standingcomperewhitwo[.]shop`
* `uniedpureevenywjk[.]shop`
* `spotlessimminentys[.]shop`
* `specialadventurousw[.]shop`
* `stronggemateraislw[.]shop`
* `willingyhollowsk[.]shop`
* `handsomelydicrwop[.]shop`
* `softcallousdmykw[.]shop`
## Implications
Angry Likho remains an active, persistent threat actor primarily focused on entities within Russia and Belarus. Their pattern of blending in with the broader Likho cluster while maintaining focused, targeted operations suggests high operational security for specific intelligence gathering objectives. The use of NSIS SFX archives and layered obfuscation (NSIS script, CMD file, obfuscated AU3) demonstrates a commitment to reliable execution and evasion against defensive security tools.
## Mitigations
* **Email Security:** Implement robust filtering for spear-phishing attempts, particularly those involving uncommon archive types like RAR distributed for apparent legitimate reasons (e.g., videoconference invites).
* **Endpoint Detection:** Focus detection signatures on indicators related to NSIS SFX decompression and the execution chaining involving `Helping.cmd` and legitimate interpreters like **AutoIt** used to run compiled scripts (`.a3x` files).
* **Environment Robustness:** Security solutions should employ strong sandbox/emulator detection bypass countermeasures, as the actor actively checks for research artifacts.
* **Version Control:** Organizations should ensure older versions of software that support legacy scripting extraction (like 7-Zip <= 15.05) are patched or phased out, though the primary defense must focus on preventing execution.