[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fK8JfsGH_idC8tLnBaL3qAAPe37HDixV2J7DZLsGZgFI":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"0054c353-fa25-4d13-92ee-db476f9012ec","Armored Likho APT Targeting Government, Electric Power Entities","armored-likho-apt-targeting-government-electric-power-entities-97f22e","The threat actor uses modular RATs and information stealers in financially motivated and cyber espionage campaigns. The post Armored Likho APT Targeting Government, Electric Power Entities appeared first on SecurityWeek.","Kaspersky identified Armored Likho, an advanced persistent threat actor conducting both financially motivated attacks and cyber-espionage operations against government and electric power organizations in Russia, Brazil, and Kazakhstan. The group employs a modular malware arsenal including the Python-based BusySnake Stealer, Go2Tunnel for remote access, and AquilaRAT, delivered primarily through spear-phishing with weaponized archives and LNK files. The malware stack offers credential theft, persistent remote access, browser password extraction, OTP key scraping, and cryptocurrency wallet discovery, with operations overlapping with Eagle Werewolf activity.","Armored Likho APT targets government and power entities with modular RATs and stealers across Russia, Brazil,","A recently discovered advanced persistent threat (APT) actor has been targeting government and electric power organizations in multiple countries, Kaspersky reports. Dubbed Armored Likho, the APT engages both in financially motivated attacks against individuals and in cyber-espionage operations against organizations in Russia, Brazil, and Kazakhstan. The threat actor’s arsenal includes modular remote access trojans (RATs) and information stealers, including the Python-based BusySnake Stealer, and tools like Go2Tunnel for remote access and network tunneling. “This diverse malware stack enables the threat actor to maintain stealthy control of compromised hosts, exfiltrate credentials and other sensitive information, and dynamically deploy downloadable modules tailored to the victim’s profile and the tasks at hand,” Kaspersky notes. Armored Likho mainly relies on spear-phishing for initial access. Archives attached to its emails contain executables or LNK files that, once opened, display decoys while malware is being installed in the background. A loader injected in memory via such an executable was seen fetching archives from GitHub repositories that contain early development builds and test samples of the malware. The LNK files display a fake document while a Python 3.12 interpreter and an archive are fetched in the background.Advertisement. Scroll to continue reading. Among other components, the archives contain a Python-based infostealer that Kaspersky tracks as BusySnake Stealer. The malware packs multiple evasion techniques and dynamically decrypts bytecode when a function is called, encrypting it immediately after, and runs in the background without a console window. The stealer relies on multiple handlers for various functions, such as clipboard theft, file enumeration, 64-character hexadecimal key extraction, document exfiltration, screenshot capture, screenshot archiving, persistence checks, and command execution. Based on commands received from the command-and-control (C&C) server, the malware can capture screenshots, exfiltrate logged keystroke data, decrypt stored passwords from Chromium-based and Firefox browsers, extract cookies from browsers, scrape the machine for OTP keys, find cryptocurrency wallets, harvest Telegram sessions and credentials, establish a reverse SSH tunnel, and restart RustDesk to capture users’ credentials. Before BusySnake Stealer, Armored Likho relied on Go2Tunnel to establish a reverse SSH tunnel, but has implemented the functionality into the infostealer, which can now provide the attackers with persistent remote access and interactive control over the victim’s system. Armored Likho’s operations appear to overlap with Eagle Werewolf activity. Previously, the hacking group was seen using the AquilaRAT RAT, which shares a similar structure and persistence mechanism with BusySnake Stealer. Related: Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets Related: New ‘Mistic’ RAT Opens Door to Several Ransomware Families Related: Hackers Target Global Stock Exchange in Espionage Operation Related: Sophisticated Deep#Door Backdoor Enables Espionage, Disruption Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Google, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of DevicesCritical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code ExecutionNew CitrixBleed Vulnerability Exploited Immediately After Public DisclosureFortiBleed Campaign Linked to INC, Lynx Ransomware AttacksCisco Confirms In-the-Wild Exploitation of Unified CM Vulnerability‘BioShocking’ Attack Tricks AI Browsers Into Stealing CredentialsCISA Warns of Actively Exploited Microsoft SharePoint VulnerabilityMicrosoft Adds New Teams Controls to Block Unauthorized AI Bots From Meetings Latest News The Shift Toward Business-Aligned Risk ManagementNorth Korean Hackers Target Open Source Developers in Supply Chain Attacks Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsIn Other News: Canadian Hacker Jailed, Open Source Zero-Days, Two Sentenced for ATM JackpottingAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million PeopleAlleged Scattered Spider Hacker Extradited to US Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Farmored-likho-apt-targeting-government-electric-power-entities\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2023\u002F01\u002FCybersecurity_News-SecurityWeek.jpg","2026-07-06T15:10:39+00:00","2026-07-06T16:00:29.265273+00:00",9,[18,21,23,26,29],{"name":19,"type":20},"Armored Likho","threat_actor",{"name":22,"type":20},"Eagle Werewolf",{"name":24,"type":25},"Kaspersky","vendor",{"name":27,"type":28},"Python 3.12","technology",{"name":30,"type":28},"RustDesk","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":31,"icon":33,"name":34,"slug":35},null,"Nation-state","nation-state",[37,42],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[48,51,54],{"type":41,"value":49,"context":50},"BusySnake Stealer","Python-based information stealer with evasion techniques, deployed by Armored Likho",{"type":41,"value":52,"context":53},"Go2Tunnel","Remote access and network tunneling tool used by Armored Likho for reverse SSH tunnels",{"type":41,"value":55,"context":56},"AquilaRAT","Remote access trojan previously used by Armored Likho; shares structure and persistence mechanisms with BusySnake Stealer"]