The analysis of the Awaken Likho APT group implant showcases their shift to using MeshCentral instead of UltraVNC for remote access, involving a new implant delivered via phishing emails. The implant uses an AutoIt script to set up persistence in the system, unpacking files disguised as system services, leading to the execution of MeshAgent for connecting to the MeshCentral server. The new variant of the malware discovered in September 2024 is identified through indicators of compromise like MD5 and SHA256 hashes, targeting Russian government agencies and industrial enterprises
The group has intensified its activities post the conflict between Russia and Ukraine, emphasizing the importance of a continuously evolving security solution amidst evolving threats. ```https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/