BusySnake-Linked Armored Likho Reported Inside Government and Power Networks

Security researchers say a threat group they track as Armored Likho has obtained access to organizations in several countries, including government agencies and electrical power entities in Russia, Br...

Security researchers say a threat group they track as Armored Likho has obtained access to organizations in several countries, including government agencies and electrical power entities in Russia, Brazil, and Kazakhstan.

The activity is notable because it points to intrusions affecting critical infrastructure and public-sector targets, both of which can be attractive to attackers seeking credentials, internal visibility, or a long-term foothold inside sensitive environments. While the reporting is limited, the finding suggests the campaign has reached beyond ordinary corporate networks and into sectors with potential operational and national-security impact.

Armored Likho is being discussed in the context of BusySnake, an infostealer family associated with stealing information from compromised systems. Infostealer operations often focus on collecting usernames, passwords, browser data, and other material that can be reused to move deeper into a network or access cloud services and internal applications.

What researchers say

  • Government organizations were among the reported targets.
  • Electrical power entities were also affected.
  • Observed activity spanned Russia, Brazil, and Kazakhstan.

At this stage, the available details are sparse, and researchers have not publicly described the full scope of the compromise or whether the intrusions led to disruption. Even so, the presence of a threat group inside these environments highlights the continuing pressure on critical infrastructure operators and the need for strong identity protection, endpoint monitoring, and rapid detection of suspicious access.

For defenders, infostealer-driven intrusions are particularly concerning because they can begin quietly and then enable follow-on activity such as account takeover, internal reconnaissance, and lateral movement. Organizations in sectors like energy and government often face extra challenges because they manage large networks, legacy systems, and a wide range of user access patterns.

As more information emerges, analysts will likely focus on how Armored Likho gained entry, what data may have been exposed, and whether the campaign is part of a broader wave of attacks against infrastructure-related targets.