Angry Likho APT resurfaces, targeting Russian and Belarusian organizations with Lumma Stealer malware via phishing attacks, stealing credentials, banking data, and more.

Cybersecurity researchers at Kaspersky’s Securelist have found a cyber espionage group known as Angry Likho APT (also referred to as Sticky Werewolf by some security vendors) has reemerged with a new wave of cyberattacks, primarily targeting organizations in Russia and Belarus.

This group, which has been active since 2023, shares similarities with the previously analyzed Awaken Likho group, and is linked to cyber attacks against government agencies and large corporate contractors in Russia and parts of Belarus.

**Who Are They Targeting?**

Angry Likho APT has a history of sending highly targeted spear-phishing emails, focusing on employees of large organizations, including government agencies and their contractors. These messages come with malicious RAR files that include harmful shortcut files along with an apparently harmless document.

Once opened, the archive triggers a complex infection chain, ultimately deploying a stealer malware known as Lumma Stealer.

The group’s phishing emails and bait files are written in fluent Russian, suggesting the attackers are likely native Russian speakers. While the majority of victims are in Russia and Belarus, some incidental targets have been identified in other countries, possibly researchers or users of Tor and VPN networks.

According to Securelist’s technical details put together in its blog post, in June 2024, researchers discovered a new implant associated with Angry Likho APT, distributed under the name FrameworkSurvivor.exe. This implant, created using the legitimate Nullsoft Scriptable Install System, functions as a self-extracting archive (SFX).

Upon execution, it extracts files into a folder named $INTERNET_CACHE and launches a heavily obfuscated command file, Helping.cmd. This file, in turn, executes a malicious AutoIt script, which injects the Lumma stealer into the system.

Phishing emails used in the campaign (Via Securelist)

****What Does Lumma Stealer Do?****

The Lumma stealer is designed to harvest sensitive data from infected devices. It collects system information, installed software details, and personal data such as cookies, usernames, passwords, banking card numbers, and connection logs. It also targets data from popular browsers like Chrome, Firefox, and Opera, as well as cryptocurrency wallets and extensions like MetaMask and Authenticator.

****Recent Activity****

In January 2025, Russian cybersecurity firm F6 ( (previously F.A.C.C.T) reported new attacks from Angry Likho APT. These attacks involved image files (e.g., test.jpg and test2.jpg) containing Base64-encoded malicious payloads, a tactic previously observed in 2024.

Researchers also identified several new command servers used by Angry Likho, including domains like averageorganicfallfawshop and distincttangyflippanshop. By analyzing these servers, they uncovered over 60 malicious implants, some of which shared the same payload. This suggests the group is actively expanding its infrastructure to evade analysis and detection.

Nevertheless, the research shows that Angry Likho continues to operate consistently, though in a predictable manner. While they make small changes each time, their approach stays the same: targeted phishing emails, a self-extracting archive, and a final payload designed to steal sensitive data.

Angry Likho APT Resurfaces with Lumma Stealer Attacks Against Russia

A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its…

A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its attacks, according to research from the AhnLab Security Intelligence Center (ASEC). This malware, which initially appeared in mid-2024 as a beta version, has seen a significant increase in distribution since 2025, with February’s volume mirroring January’s and indicating a potential surge.

It is worth noting that, according to Hudson Rock’s report, infostealers have become the biggest threat to critical infrastructure. The report reveals that computers belonging to the US Army, Navy, and even the FBI have been compromised, with stolen data available on the dark web for as little as $10.

In the ongoing campaign, ASEC’s monitoring confirms that ACRStealer is spread through software cracks and key generators, commonly used for software piracy, and the malware is frequently disguised as these illegal programs. 

While Lumma Stealer and Vidar have been dominant infostealers distributed this way, researchers observed that ACRStealer’s presence is growing rapidly. According to their report, the distribution trend of ACRStealer from June 2024 to February 2025 indicates a dramatic rise in 2025.

Platforms used to distribute the infostealer disguised as a crack (Screenshot via AhnLab).

ACRStealer boasts a range of malicious capabilities. It can detect installed antivirus solutions, steal cryptocurrency wallets and login credentials, extract browser data, harvest FTP credentials, and read all text files. This stolen information allows cybercriminals to target financial assets and personal accounts. Stolen credentials grant access to email, social media, and banking services. This data can also be used for identity theft or sold on dark web markets.

A key feature is ACRStealer’s C2 server communication. Instead of embedding the server’s IP, it uses a Dead Drop Resolver (DDR). This method involves the malware contacting a legitimate service, such as Google Docs or Steam, to retrieve the C2 server’s domain. ASEC has identified several platforms used as intermediary C2s, including Steam, telegra.ph, and various forms of Google Docs (Forms and Presentations).

This approach allows attackers to easily change the C2 domain if it is compromised without needing to update the malware itself. They simply modify the information within the intermediary C2. 

The actual C2 domain, retrieved from the intermediary C2, is combined with a hardcoded UUID (Universally Unique Identifier) to create the URL for downloading encrypted configuration data. This data contains crucial information like target programs, additional malware URLs, file extensions, and target extension IDs.

The configuration file specifies a wide range of data to be stolen, including browser data, text files, cryptocurrency wallets, FTP information, chat program information, email client information, remote program information, terminal program information, VPN information, password manager information, database (DB) information, and browser extension plugin information. 

Also, it targets numerous programs, from browsers like Chrome and Firefox to cryptocurrency wallets like Binance and Electrum, chat programs like Telegram and Signal, and various browser plugins. Collected files are often compressed before transmission.   

AhnLab’s research highlights ACRStealer’s adaptable approach, constantly changing platforms and the locations of C2 information within them. It operates as Malware-as-a-Service (MaaS), making infection tracking difficult. 

However, preventative measures can be taken. This involves avoiding websites distributing cracks and key generators, and downloading software only from official sources. Additionally, be cautious with links and attachments in unsolicited communications, enable multi-factor authentication (MFA) for added security, and maintain an active anti-malware solution.

Hackers Use Google Docs and Steam to Spread ACRStealer Infostealer

A list of topics we covered in the week of February 17 to February 23 of 2025

February 21, 2025 - Healthcare security is failing patients time and again. This week DM Clinical Research and Helath Net Federal Services take the spotlight

February 20, 2025 - Beware before downloading Google Chrome from a Google search, you might get more than you expected.

February 20, 2025 - An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack.

February 20, 2025 - South Korea says it's uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok.

February 19, 2025 - Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

 A week in security (February 17 &#8211; February 23) 

Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.

Bybit, the world’s second-largest cryptocurrency exchange, suffered a devastating $1.4 billion Ethereum (ETH) hack from a cold wallet breach on February 21, 2025. In the days following the attack, independent blockchain investigator ZachXBT traced the stolen funds directly to North Korea’s Lazarus Group, a notorious state-backed hacking organization. His findings were confirmed by Arkham Intelligence, a blockchain analysis firm, and shared with the Bybit team for further investigation.

****ZachXBT Uncovers Lazarus Group’s Crypto Trail****

On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the attack to the Lazarus Group. His submission included detailed test transactions, connected wallet addresses, forensic graphs, and timing analyses; all of which suggested the hack was premeditated.

The next day, February 22, ZachXBT posted further evidence revealing that Lazarus had not only executed the Bybit hack but had also directly connected the stolen funds on-chain to the recent Phemex hack, which occurred on February 20. He identified a key overlapping address **(**0x33d057af74779925c4b2e720a820387cb89f8f65**)** where funds from both hacks had been commingled, effectively proving the same entity was responsible.

****On-Chain Evidence of Lazarus Group’s Activity********Bybit Hack Transactions (Feb 22, 2025):****

*   0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0
*   0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00

****Phemex Hack Transactions (Feb 20, 2025):****

*   0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

ZachXBT later tweeted that, before these transactions surfaced, he and another blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that were involved in laundering funds from the Phemex hack via Tron. Their findings helped them secure a bounty from Arkham, which had launched a reward for anyone who could identify the Bybit hackers.

> Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
> 
> Overlap address:  
> 0x33d057af74779925c4b2e720a820387cb89f8f65
> 
> Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
> 
> — ZachXBT (@zachxbt) February 22, 2025

****New Findings Connect Bybit Hack to BingX Hack****

Later on February 22, ZachXBT made another major revelation: Lazarus Group had also linked an address used in the September 2024 BingX hack to the same cluster of addresses responsible for the Bybit and Phemex hacks. This means that the three hacks: Bybit, BingX, and Phemex, are all connected through on-chain transactions.

****Overlap Address:****

*   0xd555789b146256253cd4540da28dcff6e44f6e50

****Bybit Hack Transaction:****

*   0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e

****BingX Hack Transaction:****

*   0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c

> Lazarus Group just linked an address tied to the BingX hack to this same cluster a few minutes ago which now connects the Bybit, BingX, & Phemex hacks on-chain.
> 
> Overlap  
> 0xd555789b146256253cd4540da28dcff6e44f6e50
> 
> Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
> 
> — ZachXBT (@zachxbt) February 22, 2025

****Investigators Publish 920+ Addresses Linked to the Hack****

On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent the entire day graphing the laundering movements of the stolen Bybit funds. He also made 920+ theft-linked wallet addresses publicly available to help exchanges and security teams block illicit transactions.

Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Big shoutout to @ZachXBT for always keeping the space sharp. 👀🔍 Your work didn’t go unnoticed—much respect.”

****Bybit Resumes Operations and Warns of Scammers****

Despite the massive theft, Bybit announced that deposits and withdrawals on the platform had returned to normal. However, the exchange warned users of scammers impersonating Bybit employees, urging them to verify all communications and avoid sharing personal information.

“Scammers are out there pretending to be Bybit employees. Stay sharp! Bybit will never ask for your personal info, deposits, or passwords,” Bybit tweeted.

****Coordinated Effort Freezes $42.89M in Stolen Funds****

A coordinated global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a single day. According to ByBit’s tweet, several key players in the industry, including stablecoin issuers and exchanges, helped track and block the movement of the hacked funds.

****Funds Frozen by Various Entities:****

*   **ChangeNOW:** Froze 34 ETH
*   **Circle:** Assisted with crucial clues
*   **THORChain:** Blocked the blacklist
*   **FixedFloat:** Froze 120K USDC + USDT
*   **Avalanche (AVAX):** Froze 0.38755 BTC
*   **Bitget:** Blocked the blacklist and froze 84 USDT
*   **Tether:** Flagged an address and froze 181K USDT
*   **CoinEx:** Blocked the blacklist and provided key insights

Bybit acknowledged and praised these companies for their swift response, stating that their efforts were essential in tracking and freezing the hacked funds.

****Who is the Lazarus Group?****

The Lazarus Group is a state-sponsored North Korean hacking organization responsible for some of the biggest cyber heists in history. First identified in the early 2010s, the group has been linked to multiple high-profile financial and cyber attacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and a long list of crypto exchange breaches.

Their primary objective is stealing funds to support North Korea’s heavily sanctioned economy, which struggles under international financial restrictions. According to intelligence agencies and blockchain analytics firms, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with much of the funds being funnelled into North Korea’s nuclear weapons program and military operations.

The group typically executes attacks through social engineering, phishing, and exploiting security vulnerabilities in crypto platforms. Their laundering methods often involve mixing services, decentralized exchanges, and cross-chain swaps to cover transaction trails before cashing out.

Nevertheless, the ByBit incident is one of the largest crypto hacks in history, backing concerns about security vulnerabilities in centralized exchanges. The rapid response from blockchain investigators like ZachXBT, exchanges, and security teams has helped mitigate the impact, but the attack further highlights the sophisticated tactics of hacking groups like Lazarus.

With Bybit now operational again, the industry remains on high alert as investigations continue into the laundering of the stolen funds.

1.  **North Korean Hackers Team Up with Play Ransomware**
2.  **Lazarus Group Exploits Chrome 0-Day for Crypto Theft**
3.  **KnowBe4 Tricked into Hiring North Korean Hacker as IT Pro**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **North Korean APT37 Unleashes Dolphin Backdoor on South Korea**

Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

133.0.3065.82

2/21/2025

133.0.6943.126/.127

CVE-2025-1006: Chromium: CVE-2025-1426 Heap buffer overflow in GPU

CVE-2025-1426: Chromium: CVE-2025-1006 Use after free in Network

CVE-2025-0999: Chromium: CVE-2025-0999 Heap buffer overflow in V8

Beware before downloading Google Chrome from a Google search, you might get more than you expected.

Criminals are once again abusing Google Ads to trick users into downloading malware. Ironically, this time the bait is a malicious ad for Google Chrome, the world’s most popular browser.

Victims who click the ad land on a fraudulent Google Sites page designed as a intermediary portal, similar to what we saw earlier this year with the massive Google accounts phishing campaign.

The final redirect eventually downloads a large executable disguised as Google Chrome which does install the aforementioned but also surreptitiously drops a malware payload known as SecTopRAT.

We have reported this incident to Google, but at the time of writing the fake Google Sites page is still up and running.

We identified a suspicious ad when searching for “_download google chrome_“. If you look at the URL embedded in the sponsored result, you will notice it shows “_https://sites.google.com_“, which is Google’s free website builder.

While most pages hosted on there are legitimate, it’s good to remember that they are user generated and that abuse is a part of any open platform. It’s also a way for criminals to cleverly appear as legitimate when building fake ads.

**Malware payload**

Once a user double clicks on _GoogleChrome.exe_ the fake Chrome installer connects to _hxxps\[://\]launchapps\[.\]site/getCode\[.\]php_ and retrieves the necessary instructions. Below, we can see how it requests to run as administrator in order to perform certain actions that require this access level.

A PowerShell command adds an exclusion path to the %appdata%\\Roaming directory so that Windows Defender does not trigger when the malware payload is extracted.

An encrypted data stream is downloaded from _hxxps\[://\]launchapps\[.\]site/3\[.\]php?uuid={}\_uuid_ and then decrypted:

The executable named _decrypted.exe_ (PDB path: _D:\\a\\wix4\\wix4\\build\\burn\\Release\\x64\\burn.pdb_) is then dropped to %\\AppData%\\Roaming\\BackupWin\\ and unpacks the final payload, _waterfox.exe_. Side note: it has the same name and icon as the Waterfox browser (an open-source fork of the Firefox web browser).

The malicious code is then injected into the legitimate _MSBuild.exe_ process which communicates with the attackers’ command and control infrastructure at the following IP: 45.141.84\[.\]208. From this, we identify the malware payload as SecTopRAT, a remote access Trojan with stealer capabilities.

Lastly, to make sure victims are completely fooled, it finishes by downloading and installing the legitimate Chrome browser. From the installation script, we see other campaigns the same threat actors are running in parallel for fake Notion and Grammarly installers.

**Conclusion**

Downloading and installing software provides an opportunity for threat actors as long as they are able to compromise the delivery chain. Search ads provide that entry point by leveraging the trust users have in their search engine. It is somewhat ironic but also damning when malicious ads impersonate the same platform that allows them in the first place.

The fake Chrome installer we reviewed in this blog post cleverly retrieved its malicious payload dynamically from a remote site and only decrypted it after making sure Windows Defender would not be able to scan it. The ruse was complete when the actual legitimate Google Chrome installer was downloaded and installed.

Malwarebytes users were already protected from this attack, with Browser Guard blocking the malicious ad and Premium Security Antivirus detecting the dropped payload.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Google Sites

sites\[.\]google\[.\]com/view/gfbtechd/

Fake Chrome download

chrome\[.\]browser\[.\]com\[.\]de  
chrome\[.\]browser\[.\]com\[.\]de/GoogleChrome.exe  
48fdfbe23eef7eddff071d3eda1bc654b94cf86036ca1cca9c73b0175e168a55

Payload host

launchapps\[.\]site

decrypted.exe

f0977c293f94492921452921181d79e8790f34939429924063e77e120ebd23d7

waterfox.exe

0f9b2870c4be5ebacb936000ff41f8075ec88d6535161a93df8e6cfea2d8db54

C2

45.141.84\[.\]208

 SecTopRAT bundled in Chrome installer distributed via Google Ads 

Fake browser update scams now target Mac, Windows, and Android users, delivering malware like FrigidStealer, Lumma Stealer, and…

Fake browser update scams now target Mac, Windows, and Android users, delivering malware like FrigidStealer, Lumma Stealer, and Marcher trojan through compromised websites.

Cybersecurity researchers at Proofpoint have identified two new cybercriminal groups behind a wave of fake browser update scams designed to infect users with malware. These groups, tracked as TA2726 and TA2727, are using compromised websites to trick visitors into downloading malicious software with now including a newly discovered Mac-specific information stealer called FrigidStealer.

****How the Attack Works****

The scam relies on web injects, a technique where attackers insert malicious code into legitimate websites. When users visit an infected site, they see a fake browser update prompt urging them to download and install an update. Instead of a real update, the download delivers malware that can steal sensitive data or install more dangerous payloads.

****TA2726 and TA2727****

TA2726 operates as a traffic seller, essentially providing this redirection service for other malicious actors. Researchers believe that TA2726 appears to be working alongside TA569, a previously known threat actor and once the main player in “fake update” campaigns. TA2727, on the other hand, according to Proofpoint’s blog post, is actively distributing malware itself, often employing the “fake update” ruse to trick users.

One recent campaign observed TA2727 delivering different malware based on the victim’s location. In the United States and Canada, users were directed to the SocGholish inject, which led to the installation of malware. But in Europe, Windows users encountered a fake browser update prompt that installed the Lumma Stealer, while Android users were targeted with the Marcher banking trojan.

****FrigidStealer macOS Malware****

The new FrigidStealer targets Mac users, and the attack starts with a fake update message that redirects them to a malicious file. If clicked, the file, disguised as a browser update (both Chrome and Safari), installs the information stealer. FrigidStealer then secretly harvests sensitive data like browser cookies, files related to passwords and cryptocurrencies, and even Apple Notes, just like the recently spotted new variant of the XCSSET malware.

Fake Safari and Chrome browser update websites delivering FrigidStealer (Via: Proofpoint)

The malware is written in Go and uses WailsIO, a framework that allows the fake update window to look realistic. It also bypasses Mac’s Gatekeeper security feature by requiring users to right-click and select “Open,” a common trick used by Mac malware authors.

****Windows and Android Users Also Targeted****

Mac users aren’t the only ones at risk. The same attack chain has been found delivering Marcher banking trojan for Android and Lumma Stealer and DeerStealer for Windows.

For Android users, clicking the update downloads Marcher, a banking trojan that has been active since 2013 and is designed to steal login credentials from banking apps. If a Windows user clicks the fake update, they receive an MSI installer that loads a trojanized DLL, ultimately running Lumma Stealer to extract credentials and financial data.

Users can still protect themselves by learning basic cybersecurity practices, learning how to spot a phishing email, avoiding third-party apps and tools, and scanning files and links on sites like VirusTotal or ANY.RUN.

New FrigidStealer Malware Infects macOS via Fake Browser Updates

Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

In the ongoing saga that is Google’s struggle to replace tracking cookies, we have entered a new phase. But whether that’s good news is another matter.

For years, Google has been saying it will phase out the third-party tracking cookies that power much of its advertising business online, proposing new ideas that would allegedly preserve user privacy while still providing businesses with steady revenue streams.

But it’s not been straight forward for Google. As we reported in July, 2024, the tech giant said that due to feedback from authorities and other stakeholders in advertising, Google was looking at a new path forward in finding the balance between privacy and an ad-supported internet.

The announcement read:

> “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing.”

It’s not hard to see why this is scary. Apple’s App Tracking Transparency (ATT) feature caused a significant upset in the mobile advertising industry. When introduced in April 2021, it allowed users to opt out of being tracked across apps and websites. This led to an estimated 96% of US users choosing to opt out of tracking. With three billion Chrome users around the world, that might easily be an advertiser’s worst nightmare.

Google promised to kill tracking cookies by introducing a one-time global prompt upgrade that would present users with the choice of being tracked or not. By third-party cookies that is.

But ahead of fulfilling that promise, Google has introduced digital fingerprinting. Digital fingerprinting is like creating a unique digital ID for you or your device based on various pieces of information collected when you browse the internet, like:

*   Operating System (OS): Windows, Android, iOS, etc.
*   Browser type and version
*   IP address
*   Installed browser plugins
*   Time zone
*   Language settings
*   …and so on.

With all these pieces of information, it’s possible to create a unique fingerprint by which websites can recognize you, even if you clear your cookies. They will even be able to make an informed guess if you visit the same site with a different browser.

Google itself, at one point, said that fingerprinting was undesirable:

> “Unlike cookies, users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

But, per Google’s announcement on December 19, 2024, organizations that use its advertising products can use fingerprinting techniques from last Sunday, February 16, 2025. Well, as far as Google is concerned that is.

The UK information commissioner’s office (ICO) reminded businesses they do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.

But the OK from Google is likely the start of an intermediate period where we will be bothered with both fingerprinting and third-party cookies until the advertising industry has had the time to transition.

**What can I do?**

Countering fingerprinting is a lot harder than keeping cookies at a minimum. But there are some things you can do to make it harder to get your fingerprint taken.

*   However hard it may be, the time may have come to consider switching to a browser that provides built-in features to resist fingerprinting
*   Or look for anti-fingerprinting tools in the form of browser extensions
*   Use a VPN that can mask your IP address and location, which are very significant pieces of information for fingerprinting
*   Keep your browser updated, so your old version will not give away your data
*   Disabling JavaScript can break a website’s functionality, but it also significantly reduces the data websites can gather about you.

We don’t just write about privacy, we can help you improve yours. Try Malwarebytes Privacy VPN.

Tag

#chrome