Full Report
Angry Likho APT resurfaces, targeting Russian and Belarusian organizations with Lumma Stealer malware via phishing attacks, stealing credentials, banking data, and more.
Analysis Summary
# Threat Actor: Angry Likho APT
## Attribution & Identity
The threat actor is identified as **Angry Likho APT**. No other aliases or known associated groups are mentioned in the context provided.
## Activity Summary
Angry Likho APT has **resurfaced** recently to target organizations in **Russia and Belarus**. The primary method of operation involves **phishing attacks** used to deploy malware.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing attacks.
- **Delivery of Malware:** Deployment of Lumma Stealer.
- **Objective:** Stealing credentials, banking data, and other sensitive information.
- *MITRE ATT&CK IDs are not explicitly mentioned in the provided text.*
## Targeting
- Sectors: Organizations in Russia and Belarus (General organizational targeting, specific sectors not detailed beyond geography).
- Geography: **Russia** and **Belarus**.
- Victims: Russian and Belarusian organizations.
## Tools & Infrastructure
- Malware families used: **Lumma Stealer**.
- Infrastructure (C2, domains, IPs): None explicitly mentioned or defanged.
## Implications
Angry Likho APT demonstrates a continued operational focus on entities within Russia and neighboring countries, utilizing commodity malware (Lumma Stealer) delivered via socially engineered phishing, indicating a likely high-volume, financially or espionage-motivated campaign targeting data exfiltration.
## Mitigations
- Enhance user training focused on identifying and preventing phishing attacks.
- Implement robust email filtering to block suspicious messages.
- Deploy Endpoint Detection and Response (EDR) solutions capable of detecting and blocking information-stealing malware like Lumma Stealer.
- Review and restrict access based on the principle of least privilege, especially for credentials susceptible to theft.