Armored Likho Targets Government Agencies And Energy Sector With BusySnake Stealer Campaign

Armored Likho Targets Government Agencies And Energy Sector With BusySnake Stealer Campaign

A newly identified cyber threat actor tracked as Armored Likho has been linked to a series of attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. Security researchers report that the group operates with a hybrid approach, combining financially motivated campaigns against individuals with cyber espionage operations directed at organizations. According to analysis published by Kaspersky, Armored Likho uses a collection of obfuscated and modular remote access trojans and infostealers designed to evade dynamic analysis and maintain long term access to compromised systems. The actor’s toolkit includes multiple components that allow credential theft, data exfiltration, and the delivery of additional payloads depending on the victim profile, making the group adaptable across different targeting scenarios.

Researchers noted that Armored Likho relies heavily on tools such as Go2Tunnel for remote access and network tunneling, enabling persistent communication between compromised systems and command and control infrastructure. This capability allows the group to maintain long term footholds inside infected environments while dynamically deploying modules based on operational requirements. Security vendor BI.ZONE has identified possible overlaps between Armored Likho and another threat cluster known as Eagle Werewolf, which has been active since May 2023 and has previously targeted government and defense organizations involved in unmanned aerial vehicle development and manufacturing. That group has been observed using remote access trojans, droppers, and SSH tunneling tools to establish persistence and control over victim networks, sometimes distributing malware through compromised Telegram channels. BI.ZONE also reported instances where the group combined espionage activity with financially motivated operations, indicating a mixed objective model.

The latest campaign associated with Armored Likho introduces a previously undocumented Python based infostealer named BusySnake Stealer, which primarily targets Windows systems. One variant of the malware includes a module designed to extract cookies from web browsers, while the broader family supports extensive data theft and remote command execution capabilities. The initial infection vector begins with spear phishing emails that contain lures related to official government notifications or social programs. These messages distribute RAR archives containing executable files that act as droppers for additional payloads retrieved from GitHub repositories, including the BusySnake Stealer itself. The dropper also creates Visual Basic Script files used to erase traces of execution and to launch the stealer through scheduled tasks, establishing persistence on the infected system.

Alternative infection chains observed in the campaign utilize Windows shortcut files instead of executable payloads, leveraging a now patched vulnerability in Windows shortcut handling tracked as CVE 2025 9491, also known as ZDI CAN 25373. This flaw, which had been exploited by multiple threat groups since 2017 before being addressed by Microsoft in November 2025 Patch Tuesday updates, is used to trigger obfuscated PowerShell commands that execute loaders and display decoy documents while preparing the environment for malware deployment. Once active, BusySnake Stealer establishes communication with command and control servers and awaits instructions, enabling a wide range of malicious functions including clipboard data theft, system file enumeration, document exfiltration, screenshot capture, and archival of collected data. The malware also ensures persistence through scheduled tasks and VBScript mechanisms while preventing multiple instances from running concurrently on infected machines.

BusySnake Stealer further supports advanced operational commands issued by its command and control infrastructure, allowing attackers to capture screenshots at defined intervals, log keystrokes, collect cryptocurrency wallet files, extract Telegram session data, and establish reverse SSH tunnels using Go2Tunnel. It can also install remote access software such as RustDesk and extract browser cookies and saved credentials from Chromium and Firefox based browsers. In cases where RustDesk is already installed, the malware launches the application and prompts users for credentials before capturing screenshots of the input and exfiltrating them to external servers. Kaspersky noted that the malware decrypts its bytecode only during execution and immediately re encrypts it afterward, while also running without visible console windows due to its PYW file format. Researchers also observed newer versions introducing task management structures that classify operations as scheduled, in progress, succeeded, or failed to improve coordination with command infrastructure. The campaign reflects increasing technical sophistication, tool evolution, and possible influence of automated code generation techniques, with Armored Likho continuously refining its malware ecosystem and integrating tunneling capabilities directly into its stealer framework.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment