Kaspersky experts have recently uncovered new series of Advanced Persistent Threat (APT) attacks by Awaken Likho targeting government and industrial sectors in Russia. The threat group, still active, has adapted its tactics to improve the effectiveness of its attacks and evade detection. In this latest campaign, the attackers are exploiting MeshCentral, a free, web-based platform for remotely controlling computer systems, marking a shift from their previous use of the UltraVNC agent.

"Awaken Likho", known also as Core Werewolf, is an APT group that has been active since at least 2021 but saw a significant surge in activity following the outbreak of the Russo-Ukraine conflict. During Kaspersky's research into the group's operations, experts uncovered a new malicious campaign that began in June 2024 and continued through at least August. This campaign, aimed at cyberespionage and device control perception, specifically targeted government and industrial organizations in Russia and their contractors.

Kaspersky's analysis reveals that the recent campaign has introduced changes in group’s tools and techniques. The attackers exploited MeshCentral, a web-based, open-source platform for remote desktop access, device management, file transfers, and real-time monitoring. To establish a foothold in the network, an implant was downloaded onto victims' devices from a malicious URL, allegedly delivered through targeted phishing emails. In previous similar campaigns, the attackers used search engines to gather extensive information about the victims, crafting emails that appeared legitimate. These emails included self-extracting archives (SFX) and links to malicious modules, which, once opened, installed a trojan designed for cyberespionage.

Based on their tactics, the attackers could get access to sensitive government and industrial data, including confidential information, plans, communications, and details on infrastructure operations. Additionally, they could gain full control over the victims' devices, allowing them to disrupt work operations, manipulate systems, or launch further attacks within the compromised networks.

Based on the tactics, techniques, and procedures (TTPs) used, as well as information about the victims, Kaspersky experts attribute this campaign to the APT group Awaken Likho with a high degree of confidence.

“Geopolitics remains a key driver of APT attacks, which are evolving rapidly as attackers refine their techniques to stay undetected while maximizing damage. These attacks once again underscore the critical need for comprehensive security measures, particularly in the government and industrial sectors, as they are prime targets for threat actors. Proactive defense strategies and real-time threat intelligence are essential to counter these increasingly sophisticated threats,” comments Alexey Shulmin, security expert at Kaspersky.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Next.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform.

To learn more about Awaken Likho campaign, visit Securelist.com.

To gain exclusive insights into the latest APT campaigns and emerging trends in the threat landscape, register for the Security Analyst Campaign here.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.