Tuesday, April 15, 2025
HomeCyber AttackLikho Hackers Using MeshCentral For Remotely Managing Victim Systems

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

Published on

SIEM as a Service

Follow Us on Google News

The Awaken Likho APT group launched a new campaign in June of 2024 with the intention of targeting Russian government agencies and businesses by targeting them.

The group has abandoned its previous use of the UltraVNC module for remote access and adopted the MeshCentral agent instead, which highlights its adaptability and continuous efforts to evade detection and maintain its operations.

The newly identified implant, detected in September 2024, exhibits a significant departure from the group’s previous tactics.

- Advertisement - Google News

While the implant was likely delivered via phishing emails, it deviates from the typical use of Golang droppers and self-extracting archives.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

It utilizes MeshAgent, an open-source remote device management solution, to establish and maintain control over infected systems, marking a shift from the previously used UltraVNC module, which was first observed in August 2024.

Implant archive contents

The analysis revealed that the implant is distributed in a self-extracting archive packed with UPX and created using 7-Zip.

The archive contains several files, including a CMD file with a randomly generated name and a compiled AutoIt script. 

Where the CMD file is used to launch NetworkDrivers.exe and nKka9a82kjn8KJHA9.cmd, ensuring persistence in the system.

After being deobfuscated, the AutoIt script was found to be responsible for launching these executables with specific parameters.

Extracted AutoIt script

The attackers initially launched a legitimate remote administration tool, NetworkDrivers.exe, to establish a foothold in the victim’s system.

Subsequently, they executed a heavily obfuscated batch file, nKka9a82kjn8KJHA9.cmd, which created a scheduled task named MicrosoftEdgeUpdateTaskMachineMS. 

It was designed to run a malicious script, EdgeBrowser.cmd, and then delete incriminating files like MicrosoftStores.exe, thereby hindering detection and analysis of the attack.

Part of the obfuscated contents of nKka9a82kjn8KJHA9.cmd

They also leveraged a legitimate MeshCentral platform to establish a persistent presence on the compromised system by creating a scheduled task that executed a malicious command file, which in turn launched the MeshAgent agent. 

This agent, configured with specific parameters to connect to the C2 server, facilitated communication and control over the infected system.

The attackers’ use of MeshCentral allowed them to interact with the compromised device remotely and potentially execute further malicious actions.

MeshCentral platform login interface

According to Secure List, the APT group Awaken Likho, known for its increased activity since the Russo-Ukrainian conflict, has recently executed a cyberattack targeting Russian government agencies, contractors, and industrial enterprises. 

The analyzed implant, a newer version of their malware, indicates their ongoing development and potential for future attacks and underscores the need for robust cybersecurity solutions to safeguard corporate resources against evolving threats.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Paragon Hard Disk Manager Flaw Enables Privilege Escalation and DoS Attacks

Paragon Software’s widely used Hard Disk Manager (HDM) product line has been found to contain five...

Hertz Data Breach Exposes Customer Personal Information to Hackers

The Hertz Corporation has confirmed that sensitive personal information belonging to customers of its...

The Future of Authentication: Moving Beyond Passwords

Traditional passwords have been the cornerstone of digital security for six decades, but their...

CentreStack 0-Day Exploit Enables Remote Code Execution on Web Servers

A critical 0-day vulnerability has been disclosed in CentreStack, a popular enterprise cloud storage...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Paragon Hard Disk Manager Flaw Enables Privilege Escalation and DoS Attacks

Paragon Software’s widely used Hard Disk Manager (HDM) product line has been found to contain five...

Hertz Data Breach Exposes Customer Personal Information to Hackers

The Hertz Corporation has confirmed that sensitive personal information belonging to customers of its...

The Future of Authentication: Moving Beyond Passwords

Traditional passwords have been the cornerstone of digital security for six decades, but their...