Space Pirates Launch Cyber Attacks on Russian IT Firms with New LuckyStrike Malware

28.02.2025

The cyber threat actor known as Sticky Werewolf has been linked to targeted attacks in Russia and Belarus, primarily aiming to deliver the Lumma Stealer malware through an undocumented implant. Security researchers at Kaspersky, tracking this activity under the name Angry Likho, note its strong resemblance to a previously known campaign, Awaken Likho. However, Angry Likho operates with a more compact infrastructure, fewer implants, and a specific focus on employees of large organizations, including government agencies and their contractors.

Analysis suggests the attackers are likely native Russian speakers, given their use of fluent Russian in bait files designed to initiate the infection chain. While cybersecurity firm F6 has labeled them a “pro-Ukrainian cyberspy group,” their primary targets remain organizations in Russia and Belarus, with hundreds of victims identified in Russia alone. Past campaigns linked to this group have leveraged phishing emails to distribute various malware strains, including NetWire, Rhadamanthys, Ozone RAT, and DarkTrack, which is deployed via a loader known as Ande Loader.

The attack method relies on spear-phishing emails containing archive files that hide malicious Windows shortcut (LNK) files alongside a legitimate-looking document. Once executed, the files trigger a multi-stage infection process designed to deploy Lumma Stealer. Kaspersky researchers found that the malware is packaged using the open-source Nullsoft Scriptable Install System (NSIS) and functions as a self-extracting archive. To evade detection, the malware incorporates checks for emulators and sandboxed environments, either terminating itself or delaying execution by 10 seconds if suspicious conditions are detected. This behavior mirrors techniques previously observed in Awaken Likho campaigns, suggesting potential overlap between the two operations.

Lumma Stealer is designed to exfiltrate sensitive data from compromised systems, including cookies, credentials, banking card details, cryptocurrency wallets, and authentication tokens. It specifically targets data stored in web browsers, cryptowallet extensions like MetaMask, and remote access tools such as AnyDesk and KeePass.

Rather than developing proprietary malware, the group relies on widely available malicious tools sourced from darknet forums. Their primary effort lies in crafting sophisticated malware delivery mechanisms and executing targeted phishing campaigns to infiltrate high-value organizations.