Full Report
The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant. Cybersecurity company Kaspersky is tracking the activity under the name Angry Likho, which it said bears a "strong resemblance" to Awaken Likho (aka Core Werewolf, GamaCopy, and
Analysis Summary
# Threat Actor: Sticky Werewolf (aka Angry Likho)
## Attribution & Identity
* **Primary Name:** Sticky Werewolf
* **Tracking Name (by Kaspersky):** Angry Likho
* **Associated Groups:** Bears a strong resemblance to Awaken Likho (aka Core Werewolf, GamaCopy, and PseudoGamaredon).
* **Suspected Origin:** Likely Russian speakers due to fluent Russian used in bait files.
* **Conflicting Reporting:** Described by F6 (F.A.C.T) as a "pro-Ukrainian cyberspy group."
## Activity Summary
The actor engages in targeted attacks primarily focusing on espionage and potential financial fraud objectives. Recent activity involves delivering the Lumma Stealer malware using a previously undocumented implant. Previous intrusion activities leveraged phishing emails to distribute a variety of malware families. Kaspersky notes that the current activities, tracked as Angry Likho, employ a more compact infrastructure and a more limited range of implants compared to similar groups.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails bearing booby-trapped attachments (e.g., archive files).
* **Delivery Mechanism:** Archives contain two Windows shortcut (.LNK) files and a legitimate lure document, leading to a complex multi-stage deployment process.
* **Implant Installation:** Utilizes a custom implant created using the open-source Nullsoft Scriptable Install System (NSIS) functioning as a self-extracting archive (SFX).
* **Evasion:** Incorporates checks for emulators and sandboxed environments, causing the malware to either terminate or resume after a 10,000 ms delay.
* **Malware Chaining:** Relies on readily available malicious utilities obtained from darknet forums, focusing their custom effort on delivery mechanisms and phishing emails.
* **[No specific MITRE ATT&CK IDs provided in the source text.]**
## Targeting
* **Sectors:** Government agencies and their contractors, employees of large organizations.
* **Geography:** Primarily focused on Russia and Belarus. Hundreds of victims identified in Russia.
* **Victims:** Organizations in Russia and Belarus, specifically including government agencies.
## Tools & Infrastructure
* **Current Malware:** Lumma Stealer (Information Stealer).
* **Previously Used Malware:** NetWire, Rhadamanthys, Ozone RAT, DarkTrack (RAT).
* **Loaders:** Ande Loader.
* **Custom Components:** Custom implant built using NSIS.
* **Infrastructure:** Described as "compact," but specific C2/infrastructure details were not provided beyond the reliance on darknet forums for utilities.
* **Defanged URLs/IPs:** N/A (No explicit URLs/IPs were listed in the provided text to defang.)
## Implications
Sticky Werewolf/Angry Likho represents a persistent threat combining industrial espionage and potential financial motives. Their use of novel delivery chains (NSIS SFX implant) and established evasion techniques suggests a sophisticated operational security posture. The observed technological overlap with actors like Awaken Likho suggests either shared resources, technology transfer, or even the same actor utilizing different toolsets for different campaigns. The focus on government contractors and agencies in Russia/Belarus presents a significant national security risk.
## Mitigations
* Implement stringent filtering and scanning of executables distributed via email archives, especially LNK files originating outside trusted sources.
* Monitor endpoints for Lumma Stealer activity, focusing on credential harvesting from browsers, crypto wallets (especially MetaMask), and password managers (KeePass).
* Enforce granular environment checks to detect and block execution behavior exhibiting significant delays or termination in sandboxed environments.
* Improve security awareness training regarding spear-phishing, particularly for employees handling sensitive government or contractor data.