Skip to main content
Emerging ThreatsMalware & Ransomware

Armored Likho Exploits Global Targets with BusySnake Stealer

Dark industrial control room with a lone, open laptop on a metal console.
"Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations," Kaspersky said in a technical analysis published today.

That assessment frames a newly documented set of intrusions Kaspersky attributes to a threat actor it calls Armored Likho. The vendor says the group has mounted operations against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan, while mixing opportunistic theft from individuals with targeted reconnaissance and data collection on organizations.

Armored Likho's geographic and sectoral focus: Russia, Brazil, Kazakhstan and the electric power sector

Kaspersky's analysis links incidents in three countries to the same actor and toolkit. The victim set explicitly includes government agencies and organizations in the electric power sector. Kaspersky also reports that the campaign spans both espionage-focused intrusions and financially motivated campaigns aimed at private victims.

BusySnake Stealer: capabilities, architecture, and evasion

Kaspersky identified a previously unreported Python-based information stealer named BusySnake targeting Windows systems. One version contains a module to extract cookies from web browsers. BusySnake's known capabilities include stealing clipboard data; enumerating files and logging metadata to a local database; uploading documents to a command-and-control (C2) server; capturing and archiving screenshots; and preventing multiple concurrent instances. The stealer checks for a scheduled task and, if absent, drops a Visual Basic Script (VBScript) to register persistence.

The malware is engineered to complicate analysis: it dynamically decrypts bytecode only when a function is invoked, then re-encrypts it immediately. Kaspersky notes BusySnake runs in the background without spawning a console window and is delivered as a PYW file. A newer BusySnake iteration adds a task‑management framework that assigns operational statuses such as SCHEDULED, IN_PROGRESS, SUCCEEDED, or FAILED to C2-issued jobs, improving reporting back to the server.

Attack chains: spear‑phishing, GitHub droppers, and CVE‑2025‑9491

Kaspersky describes the typical starting point as a spear‑phishing email using lures tied to official government notices or social programs. The email delivers a RAR archive containing EXE binaries that act as droppers. Those droppers retrieve additional payloads — including the stealer — from a GitHub repository, create two VBScript files to erase traces of execution and to launch the stealer via a scheduled task, and thus establish persistence.

Alternate chains use malicious Windows shortcuts (LNK) that exploit a now‑patched vulnerability in Windows shortcut handling tracked as CVE-2025-9491 (ZDI‑CAN‑25373). Microsoft fixed the flaw in Patch Tuesday updates for November 2025. Kaspersky documents an attack where the vulnerability triggers an obfuscated PowerShell command that runs a loader to display a decoy document and prepares the environment for the Python stealer; persistence is again achieved through VBScript and scheduled tasks.

Toolset overlaps: Go2Tunnel, RustDesk, AquilaRAT, and ties to Eagle Werewolf

The campaign uses a varied toolset. Armored Likho operators have employed Go2Tunnel for remote access and network tunneling; Kaspersky reports that reverse‑tunneling functionality previously offered by Go2Tunnel has been integrated directly into BusySnake so it can ingest parameters from the C2 server. The stealer can also instruct a victim machine to install or start RustDesk — when RustDesk is present the stealer prompts the victim for credentials, captures a screenshot of the credentials and exfiltrates it.

Kaspersky notes overlaps between BusySnake and a cluster tracked by BI.ZONE under the moniker Eagle Werewolf, active since May 2023. BI.ZONE reported that Eagle Werewolf has targeted government and defense organizations, especially those involved in UAV development, using droppers, RATs, and SSH tunneling utilities. BI.ZONE also warned that "Threat actors may use compromised Telegram channels to distribute the malware" and that the group's primary motivation is cyber espionage, with some campaigns aimed at stealing funds.

In February 2026 BI.ZONE observed Eagle Werewolf distributing AquilaRAT via a Rust dropper disguised as a Starlink activation checklist; that operation likewise used Go2Tunnel to form a reverse SSH tunnel to a C2 server using a private key. Kaspersky highlights similarities in how AquilaRAT and BusySnake receive tasks from C2 servers, register persistence through scheduled tasks, and use similar C2 endpoints.

What this means for technologists, policymakers, and end users

  • Technologists and security teams: monitor for scheduled tasks created by VBScripts, PYW files running in background processes, unusual reverse‑SSH tunnels and Go2Tunnel activity, and unexpected RustDesk prompts for credentials. Investigate GitHub repositories used as payload hosts and examine LNK handling for remnants related to CVE‑2025‑9491 exploitation.
  • Policymakers and regulators: note the cross‑border footprint (Russia, Brazil, Kazakhstan), the mix of espionage and financially motivated objectives, and that the actor's origins remain unknown; these factors may inform incident reporting expectations and cross‑jurisdictional cooperation.
  • End users and administrators: be wary of spear‑phishing messages invoking government notices or social programs, do not enable macros or run unexpected EXE/LNK attachments from RAR archives, and treat RustDesk credential prompts as a potential indicator of active compromise.

Kaspersky summarizes the campaign as showing "growing technical maturity," with tool polymorphism, deeper integration of tunneling into malware, and signs that AI might have assisted in generating first‑stage loaders. The actor's exact origins remain unknown. The combined evidence — evolving stealer architecture, integrated tunneling, and reuse of persistence and C2 patterns — underscores that defenders will need to hunt beyond single binaries and watch for behavioral indicators across scheduling, remote‑access tooling, and unusual exfiltration paths.

Source: https://thehackernews.com/2026/07/armored-likho-targets-government.html