Awaken Likho

Awaken Likho, a threat actor group known for its malicious activities, has been active since the onset of the Russo-Ukrainian conflict. The group has adapted its methods over time, recently shifting from using UltraVNC to MeshCentral for remote access. This change was observed in a new campaign that ran from June to August 2024, as discovered by Kaspersky researchers. The group, also known as Core Werewolf and PseudoGamaredon, is notorious for targeting government agencies and industrial entities, primarily within Russia. In September 2024, Awaken Likho was detected utilizing a new implant. However, upon further analysis of the telemetry, it was revealed that the attackers had started using this malware as early as August 2024. This development shows the group's continuous evolution and adaptation of their tools and tactics to stay ahead of cybersecurity defenses. The group has now adopted a more sophisticated technique involving a 7-Zip self-extracting archive. This method displays a decoy document while covertly installing the MeshAgent tool, thereby misleading victims and evading detection. Given these developments, Awaken Likho is expected to continue targeting and infiltrating selected infrastructure in future attacks, posing a significant threat to cybersecurity.