Awaken Likho
Description
(Kaspersky) In July 2021, a campaign was launched primarily targeting Russian government agencies and industrial enterprises. Shortly after the campaign started, we began tracking it, and published three reports in August and September 2024 through our threat research subscription on the threat actor we named Awaken Likho (also named by other vendors as Core Werewolf).
While investigating the activity of this APT group, we discovered a new campaign that began in June 2024 and continued at least until August. Analysis of the campaign revealed that the attackers had significantly changed the software they used in their attacks. The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems. The group remains focused on targeting Russian government organizations and enterprises.
Names
| Name | Name-Giver |
|---|---|
| Awaken Likho | Kaspersky |
| Core Werewolf | BI.ZONE |
Country
Motivation
- Information theft and espionage
First Seen
2021
Observed Sectors
Observed Countries
Information
- https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/
- https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/
- https://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/
Other Information
Uuid
f3c3beeb-ae74-411b-8a9a-110533a0b28d
Last Card Change
2024-10-24