[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fz6skwGm2haUR1NgbW5q7cXFrtJYjrjXyaVBaucGA1vo":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"464ad79d-3a03-4dba-a424-9a4dab7d0568","Armored Likho Hits Government, Energy Sectors With BusySnake Stealer","armored-likho-hits-government-energy-sectors-with-busysnake-stealer-088740","Kaspersky details how the newly named Armored Likho APT uses BusySnake Stealer, AI-generated loaders, and phishing to target government and energy organizations.","Kaspersky has identified a new APT group, Armored Likho, targeting government and energy organizations in Russia, Kazakhstan, and Brazil. The group employs spear-phishing, AI-generated loaders, and the BusySnake Stealer malware to exfiltrate credentials, sensitive documents, and maintain long-term access. Researchers link Armored Likho to earlier activity involving AquilaRAT.","New APT group Armored Likho targets government and energy sectors with BusySnake Stealer.","Security Cyber Attacks MalwareArmored Likho Hits Government, Energy Sectors With BusySnake Stealer Kaspersky details how the newly named Armored Likho APT uses BusySnake Stealer, AI-generated loaders, and phishing to target government and energy organizations. byWaqasJuly 8, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Cybersecurity researchers at Kaspersky have named a previously undocumented threat actor behind an ongoing spear-phishing operation targeting government agencies and electric power organizations in Russia, Kazakhstan, and Brazil. The group, which they call Armored Likho, is running an extensive malware toolkit built to steal credentials, sensitive documents, and other high-value data. The operation relies on a new Python-based infostealer that analysts call BusySnake, which steals credentials and sensitive files from compromised systems. Motivation Researchers believe that there are two motives for the group to run this campaign. One is financially motivated targeting private individuals, and the other is cyber-espionage aimed at organizations. Kaspersky did not attribute the group to any specific nation, but noted that the campaign appears focused on credential harvesting and maintaining long-term access in government and critical infrastructure environments. How The Attack Works The attack chain starts with spear-phishing messages, with lure themes ranging from official government notices to humanitarian aid applications and psychological tests. These emails contain malicious archive attachments that follow two main delivery patterns, including Nullsoft Scriptable Install System (NSIS)- built EXE droppers and malicious LNK shortcuts that abuse the way Windows handles .lnk parameters. Once a victim extracts and opens the attachment, both delivery paths lead to BusySnake Stealer being installed on the device. In the EXE route, the NSIS dropper launches a legitimate process and injects malicious loader code into it. In the LNK route, an obfuscated PowerShell command downloads and runs the loader. From there, the loader pulls the required Python components and the BusySnake payload from GitHub-hosted archives before setting up persistence. Stealing the Data Upon infection and taking control of a device, attackers immediately gain access to a vast amount of sensitive data. The malware actively logs clipboard contents, harvests browser cookies, pulls session tokens from Telegram, documents exfiltration, screenshot capture, scrapes two-factor authentication secrets, and searches for cryptocurrency wallets. The attackers also built reverse SSH tunneling into BusySnake, giving them a way to maintain remote access, manually inspect compromised systems, and pull out targeted files after infection. Using AI to Hide Tracks According to the company’s blog post, tracking the origins of these loaders has proven difficult because the hackers utilize AI to generate their initial malicious payloads. This automated approach changes the code structure enough to obscure the group’s normal habits and complicate attribution efforts. Previous Attacks Linked to Armored Likho Kaspersky says the campaign is linked to a newly named APT group it tracks as Armored Likho, also known as Eagle Werewolf, based on circumstantial evidence. Although the group is newly named in this report, researchers linked it to earlier activity involving AquilaRAT. For context, AquilaRAT and BusySnake Stealer share a similar structure. Both use comparable C2 endpoints to report task execution and register scheduled tasks that pose as legitimate Microsoft utilities. AquilaRAT uses MicrosoftOfficeUpdate, while BusySnake Stealer uses WindowsHelper. Kaspersky says the operation shows no sign of slowing down. At the time of writing, Armored Likho remains highly active, and despite the evolution of their malware variants and efforts to obfuscate their TTPs, Kaspersky continues to closely monitor the group’s footprint and detect new campaigns. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts AIArmored LikhoBrazilBusySnake StealerCyber AttackCybersecurityKazakhstanMalwarePhishingRussiaScam Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security iPhone Bug in Newly Released iOS 12.0.1 Gives Access To Your Photos An iOS user Jose Rodriguez, who discovered a passcode bypass related flaw in iOS 12 last month, has… byWaqas Read More Security Cyber Attacks Jeep and Dodge Parent Company Stellantis Confirms Customer Data Breach Stellantis, parent of Jeep, Chrysler, Dodge and FIAT, confirms data breach through third-party vendor. Contact info exposed, financial data not affected. byWaqas Read More Hacking News Phishing Scam Security Reddit Hacked After Employee Bites on Phishing Scam According to Reddit, the breach took place after one of its employees fell for a phishing scam email sent through a malicious fake website. byDeeba Ahmed Read More Social Media Security 10-year-old Kid Hacks Instagram, Gets $10,000 Reward from Facebook A 10-year-old kid from Finland found a bug allowing access to Instagram servers and delete any text posted… byWaqas","https:\u002F\u002Fhackread.com\u002Farmored-likho-government-energy-busysnake-stealer\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F07\u002Farmored-likho-government-energy-busysnake-stealer.jpg","2026-07-08T14:29:23+00:00","2026-07-08T16:00:29.076955+00:00",8,[18,21,23,26],{"name":19,"type":20},"Armored Likho","threat_actor",{"name":22,"type":20},"Eagle Werewolf",{"name":24,"type":25},"Kaspersky","vendor",{"name":27,"type":28},"AI","technology","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":29,"icon":31,"name":32,"slug":33},null,"Nation-state","nation-state",[35,40,42,47],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":41},{"id":29,"icon":31,"name":32,"slug":33},{"category":43},{"id":44,"icon":31,"name":45,"slug":46},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":48},{"id":49,"icon":31,"name":50,"slug":51},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[53,56,59,63,66,69,72,75,78,81,84,87,90,93,96],{"type":46,"value":54,"context":55},"BusySnake Stealer","Python-based infostealer used by Armored Likho.",{"type":46,"value":57,"context":58},"AquilaRAT","Previously linked malware sharing similarities with BusySnake Stealer.",{"type":60,"value":61,"context":62},"mitre_attack","T1059.001","PowerShell used in the LNK delivery path.",{"type":60,"value":64,"context":65},"T1071.001","Web Protocols (HTTP\u002FHTTPS) used for C2 communication.",{"type":60,"value":67,"context":68},"T1574.002","DLL Side-Loading (implied by code injection).",{"type":60,"value":70,"context":71},"T1055.001","Process Injection used in the EXE dropper route.",{"type":60,"value":73,"context":74},"T1041","Exfiltration Over C2 Channel.",{"type":60,"value":76,"context":77},"T1555","Credentials from Password Stores (browser cookies, session tokens).",{"type":60,"value":79,"context":80},"T1056.001","Keylogging (clipboard content logging).",{"type":60,"value":82,"context":83},"T1113","Screen Capture.",{"type":60,"value":85,"context":86},"T1530","Data from Local System (documents, crypto wallets).",{"type":60,"value":88,"context":89},"T1572","Protocol Tunneling (reverse SSH tunneling).",{"type":60,"value":91,"context":92},"T1070.004","File Deletion (implied by malware operation).",{"type":60,"value":94,"context":95},"T1070.003","Clear Windows Event Logs (potential for persistence\u002Fevasion).",{"type":60,"value":97,"context":98},"T1053.005","Scheduled Task\u002FJob (posing as legitimate Microsoft utilities)."]