Threat Group Cards: A Threat Actor Encyclopedia

Names	Angry Likho (?)
Country	[Unknown]
Motivation	Information theft and espionage
First seen	2023
Description	(Kaspersky) Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors. Given that the bait files are written in fluent Russian, we infer that the attackers are likely native Russian speakers. We’ve identified hundreds of victims of this attack in Russia, several in Belarus, and additional incidents in other countries. We believe that the attackers are primarily targeting organizations in Russia and Belarus, while the other victims were incidental—perhaps researchers using sandbox environments or exit nodes of Tor and VPN networks.
Observed	Sectors: Government. Countries: Belarus, Russia.
Tools used	LummaC2.
Information	<https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/>

Last change to this card: 02 March 2025

Download this actor card in PDF or JSON format