Kaspersky experts have uncovered a new series of Advanced Persistent Threat (APT) attacks by Awaken Likho targeting government and industrial sectors in Russia.
The threat group, still active, has adapted its tactics to improve the effectiveness of its attacks and evade detection.
In this latest campaign, the attackers are exploiting MeshCentral, a free, web-based platform for remotely controlling computer systems, marking a shift from their previous use of the UltraVNC agent.
“Awaken Likho”, known also as Core Werewolf, is an APT group that has been active since at least 2021 but saw a significant surge in activity following the outbreak of the Russo-Ukraine conflict. During Kaspersky’s research into the group’s operations, experts uncovered a new malicious campaign that began in June 2024 and continued through at least August.
The campaign, aimed at cyberespionage and device control perception, specifically targeted government and industrial organisations in Russia and their contractors.
Kaspersky’s analysis reveals that the recent campaign has introduced changes in the group’s tools and techniques. The attackers exploited MeshCentral, a web-based, open-source platform for remote desktop access, device management, file transfers, and real-time monitoring. To establish a foothold in the network, an implant was downloaded onto victims’ devices from a malicious URL, allegedly delivered through targeted phishing emails.
In previous similar campaigns, the attackers used search engines to gather extensive information about the victims, crafting emails that appeared legitimate. These emails included self-extracting archives (SFX) and links to malicious modules, which, once opened, installed a trojan designed for cyberespionage.
Based on their tactics, the attackers could get access to sensitive government and industrial data, including confidential information, plans, communications, and details on infrastructure operations. Additionally, they could gain full control over the victims’ devices, allowing them to disrupt work operations, manipulate systems, or launch further attacks within the compromised networks.
Based on the tactics, techniques, and procedures (TTPs) used, as well as information about the victims, Kaspersky experts attribute this campaign to the APT group Awaken Likho with a high degree of confidence.
“Geopolitics remains a key driver of APT attacks, which are evolving rapidly as attackers refine their techniques to stay undetected while maximising damage,” comments Alexey Shulmin, security expert at Kaspersky. “These attacks once again underscore the critical need for comprehensive security measures, particularly in the government and industrial sectors, as they are prime targets for threat actors.
“Proactive defense strategies and real-time threat intelligence are essential to counter these increasingly sophisticated threats.”