A newly identified advanced persistent threat (APT) group tracked as Armored Likho is conducting cyberespionage and financially motivated attacks against government and electric power sector organizations, according to research published by Kaspersky. Targets have been identified across Russia, Brazil, and Kazakhstan.

Initial Access and Delivery

Armored Likho relies primarily on spear-phishing for initial compromise. Malicious emails carry archive attachments containing either executables or LNK files. When opened, these files display decoy documents while malware installs silently in the background. In one observed chain, a memory-injected loader retrieved archives from GitHub repositories containing early development builds and test samples of the group’s tools. LNK-based variants fetch a Python 3.12 interpreter and a companion archive while presenting a fake document to the victim.

BusySnake Stealer

The centerpiece of the group’s current toolkit is BusySnake Stealer, a Python-based information stealer with a broad capability set. The malware employs several evasion techniques, including dynamic bytecode decryption at function call time with immediate re-encryption afterward, and it runs without a visible console window.

BusySnake’s functionality includes:

  • Clipboard theft and keystroke logging exfiltration
  • Screenshot capture and archiving
  • File enumeration and document exfiltration
  • Password decryption from Chromium-based browsers and Firefox
  • Cookie extraction and OTP key scraping
  • Cryptocurrency wallet discovery
  • Telegram session and credential harvesting
  • Reverse SSH tunnel establishment
  • RustDesk restart to capture user credentials

The reverse SSH tunneling capability was previously handled by a separate tool called Go2Tunnel, but Armored Likho has since folded that functionality directly into BusySnake, giving attackers persistent remote access and interactive control over compromised hosts through a single implant.

Modular Architecture and Overlap with Eagle Werewolf

Kaspersky describes the group’s malware stack as modular, with downloadable components deployed based on the victim’s profile and operational requirements. The combination of credential theft, remote access, and dynamic module deployment allows the group to maintain stealthy, long-term footholds on targeted systems.

Armored Likho’s operations show overlap with activity previously attributed to a group known as Eagle Werewolf. An earlier remote access trojan associated with that cluster, AquilaRAT, shares structural similarities and persistence mechanisms with BusySnake Stealer, suggesting a common origin or close operational relationship between the two.

Defensive Considerations

Security teams in critical infrastructure and government environments should treat LNK-based attachments and archive files in email as high-risk delivery vectors. Monitoring for unexpected Python interpreter deployments, anomalous SSH tunnel creation, and RustDesk activity on non-standard hosts may help surface this threat actor’s presence on compromised networks.