[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQUS9BgGcF4ESbztwr_WcIORa_F5PFFL67WVE4rqVxM8":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"943a6276-8779-436c-b030-11c38ba1a41b","Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign","armored-likho-digging-a-snake-pit-inside-the-covert-busysnake-stealer-campaign-6af4e2","An inside look at the active Armored Likho APT campaign. The attackers are using spear-phishing, AI-generated loaders, and a new Python-based tool, BusySnake Stealer, to target organizations in Russia, Kazakhstan, and Brazil.","A new APT group, Armored Likho, is conducting covert campaigns targeting government and electric power sectors in Russia, Brazil, and Kazakhstan. They employ spear-phishing with AI-generated loaders and a new Python-based infostealer called BusySnake Stealer, which targets credentials and cookies from browsers. The group also uses tools like Go2Tunnel for network tunneling and exhibits evolving tactics to evade security solutions.","Armored Likho APT uses AI-generated loaders and BusySnake Stealer against Russia, Brazil, and Kazakhstan.","Threat Response Table of Contents IntroductionInitial infection vectorEXE attachmentLNK attachmentBusySnake StealerPassword exfiltration from Firefox and Chromium-based browsersCookie extractionReverse SSH tunnelingNew version of the BusySnake StealerAttributionVictimsTakeawaysDetection by Kaspersky solutionsIndicators of compromiseFirst-stage malicious filesBusySnake StealerС2 Introduction During our routine threat monitoring, we uncovered a new phishing campaign tied to a previously unknown APT group that we dubbed Armored Likho (also known as Eagle Werewolf based on circumstantial evidence). This targeted campaign focuses heavily on government agencies and the electric power sector. The geographical footprint of these attacks spans Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor. Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber-espionage aimed at organizations. Their toolkit features obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis. Alongside these, they leverage simpler tools like Go2Tunnel for remote access and network tunneling. This diverse malware stack enables the threat actor to maintain stealthy control of compromised hosts, exfiltrate credentials and other sensitive information, and dynamically deploy downloadable modules tailored to the victim’s profile and the tasks at hand. Key campaign highlights: The group is leveraging a previously undocumented tool dubbed BusySnake Stealer. This Python-based infostealer is designed to target Windows systems. We discovered multiple versions of the malware, along with an additional module dedicated to stealing cookies. The first-stage malicious payload, consisting of loaders and stagers, was generated using AI, which blurs the attackers’ TTPs and complicates attribution efforts. This campaign highlights several concurrent trends: the growing technical maturity of Armored Likho, tool polymorphism, and a shift toward more complex schemes aimed at bypassing security solutions — ranging from Python source code obfuscation to embedding network mechanisms directly into the malware code. In this post, we’ll dissect the campaign that remains active at the time of publication, as well as the toolkit utilized by the attackers. Initial infection vector Phishing remains one of the primary initial access vectors that this threat actor heavily relies on in its latest campaigns. Armored Likho uses spear-phishing emails, with themes ranging from official government notices to social programs. In their most recent campaign, the attackers distributed malicious attachments inside archive files with names such as 1bfb2e79-8084-429e-a35c-8b595ab9f839_psihologicheskiy_test.zip (psychological test) or zayavka_gumanitarnayapomosch.rar (humanitarian aid application). These archives contained executables or LNK files named to mimic the email themes, tricking users into executing them on their devices. Below, we break down several variants of how they achieve initial access. EXE attachment In one attack variant, the archive contains a dropper named psihologicheskiy_test.exe, which is a self-extracting archive built using the Nullsoft Scriptable Install System (NSIS). When the victim opens the file, a decoy application launches to disarm suspicion by presenting a fake psychological survey. While we have observed similar droppers in the group’s previous campaigns, those earlier versions were written in Rust. Once executed, the dropper writes a legitimate executable, $temp\\nsn5531.tmp\\pnx.exe, to disk and launches it. Code is then injected into the pnx.exe process memory to execute a malicious loader. This loader, in turn, fetches several archives hosted in GitHub repositories. Our analysis of these repositories uncovered early development builds and test samples of the malware. Data release in the repository is automated, allowing for rapid rotation of both payloads and the repositories themselves. Payload repository example The downloaded archives are extracted into the $appdata\\WindowsHelper directory. This serves as the malware’s working directory, where all subsequent components of the attack are staged and executed. The fetched package contains the following components: The primary payload: a stealer named module.pyw The runtime directory with the components of the PyArmor execution environment A Python 3.12 interpreter The get-pip.py script: used to install the pip package manager and fetch required dependencies Once executed, the script installs pip and pulls down the core dependencies required for the payload to run. With all dependencies in place, the malware creates two VBScript files in the same $appdata\\WindowsHelper directory. The first, wh_selfdelete.vbs, is used to wipe the initial pnx.exe loader from the system: Loader removal script The second script, run.vbs, is designed to execute module.pyw and is used to ensure persistence on the system by creating a scheduled task: Persistence script This task ensures that the payload, BusySnake Stealer, is executed every five minutes. LNK attachment In alternate campaigns, the archive contains a file named Zayavka_[redacted].lnk. The group leveraged the ZDI-CAN-25373 shortcut vulnerability to conceal the contents of their command line. This flaw allows the attackers to use spaces or line breaks to hide execution parameters. Consequently, when the user runs the malicious LNK file, it triggers the following obfuscated command: Obfuscated PowerShell command This, in turn, spawns a PowerShell command that downloads and executes the malicious loader: Downloading and executing the loader Upon execution, the loader downloads and opens a decoy DOCX document. We have observed various decoy themes, ranging from humanitarian aid requests to debt clearance certificates. Decoy documents Once the decoy is displayed, the loader initializes the environment variables required to stage the next phase, including URL paths, installation directories, and required library manifests. While we observed variations across different first-stage payload samples, their core functionality remains identical. Variable initialization example in loader code Next, the loader fetches a Python 3.12 interpreter (python.zip), the get-pip.py script, and a data.zip archive containing the module.pyw payload. From this point, mirroring the first infection vector, the malware installs its dependencies and establishes persistence through a combination of a VBScript file and a scheduled task. Example of downloading and installing Python and the pip package manager As shown in the screenshots, the loader’s source code contains verbose comments and bullet-point emojis. This coding style is highly uncharacteristic of human-developed malware. It strongly indicates that the group is leveraging LLMs to generate their malicious payloads. Ultimately, both infection vectors lead to the execution of the primary payload, which we break down in detail below. BusySnake Stealer The primary payload in this campaign is a previously undocumented, Python-based infostealer that we have dubbed BusySnake Stealer. The stealer’s source code implements multiple evasion techniques designed to thwart detection and complicate static analysis. Specifically, the BusySnake Stealer code is obfuscated and encrypted using PyArmor Pro version 9.2.0. The malware dynamically decrypts its bytecode only at the exact moment a function is called, re-encrypting the data immediately afterward. Additionally, the malware runs in the background without spawning a console window, as indicated by its PYW file extension. During our analysis, we successfully stripped the protector and disassembled the executable functions. Below, we break down the stealer’s configuration and core functionality. Before executing its main routines, the malware initializes its configuration file. It contains the C2 server address, directory paths, regular ","https:\u002F\u002Fsecurelist.com\u002Ftr\u002Farmored-likho-apt-with-busysnake-stealer\u002F120292\u002F","https:\u002F\u002Fmedia.kasperskycontenthub.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F43\u002F2026\u002F06\u002F30105924\u002Farmored-likho-busysnake-featured-image-scaled-1.jpg","2026-07-03T10:00:33+00:00","2026-07-03T12:00:21.523568+00:00",9,[18,21,24,27],{"name":19,"type":20},"Armored Likho","threat_actor",{"name":22,"type":23},"Go2Tunnel","product",{"name":25,"type":26},"Python","technology",{"name":28,"type":26},"AI","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":29,"icon":31,"name":32,"slug":33},null,"Threat Intelligence","threat-intelligence",[35,40,45,50],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":41},{"id":42,"icon":31,"name":43,"slug":44},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":46},{"id":47,"icon":31,"name":48,"slug":49},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":51},{"id":29,"icon":31,"name":32,"slug":33},[53,56],{"type":49,"value":54,"context":55},"BusySnake Stealer","Python-based infostealer used by Armored Likho APT.",{"type":49,"value":22,"context":57},"Tool used for remote access and network tunneling by Armored Likho APT."]