Armored Likho Seen Targeting Government and Energy Organizations with BusySnake Stealer
Researchers have linked a previously unreported threat group, known as Armored Likho, to cyberattacks against government agencies and electric power organizations in Russia, Brazil, and Kazakhstan. Se...
Researchers have linked a previously unreported threat group, known as Armored Likho, to cyberattacks against government agencies and electric power organizations in Russia, Brazil, and Kazakhstan. Security analysts say the operation combines espionage with financially motivated activity and relies on a mix of obfuscated remote-access tools and information-stealing malware designed to evade detection.
The campaign has been associated with a Python-based stealer called BusySnake, which targets Windows systems. Kaspersky reported that the malware is built to stay hidden, communicate with a command-and-control server, and then wait for instructions. The toolset used in the attacks also includes Go2Tunnel, a utility that helps attackers create reverse SSH tunnels and maintain access to compromised systems.
According to the findings, the initial infection often begins with spear-phishing emails that use official-looking themes such as government notices or social programs. Victims are tricked into opening a RAR archive that contains executable files acting as droppers for further payloads, including the stealer hosted on GitHub. In some cases, the attackers use Windows shortcut files to trigger a patched Windows vulnerability that can lead to remote code execution.
Once inside a system, the malware establishes persistence with scheduled tasks and VBScript files, while also attempting to erase traces of the first stage of the infection. BusySnake can collect clipboard contents, take screenshots, log keystrokes, and steal browser cookies and passwords from Chromium-based browsers and Firefox. It can also gather Telegram data, cryptocurrency wallet files, and documents stored on the machine.
Key observations
- Targets include public-sector and power-related organizations.
- BusySnake is designed to evade analysis and support multiple data theft functions.
- The malware can deploy remote desktop software such as RustDesk and capture login attempts.
- Researchers noted overlap with activity tracked as Eagle Werewolf by BI.ZONE.
Kaspersky said newer samples of BusySnake add a task-management system that tracks command status as tasks move through the malware pipeline. The company also suggested that some of the first-stage code may have been produced with help from AI tools, based on repetitive comments and code patterns.
