Summary
Kaspersky has detailed a newly identified advanced persistent threat group it calls Armored Likho, which is running a mix of financially motivated and espionage operations against government bodies, electric power companies, and individuals. The group's targeting spans Russia, Brazil, and Kazakhstan, and its toolkit centers on modular remote access trojans (RATs) and information stealers — most notably a Python-based malware Kaspersky tracks as BusySnake Stealer, alongside the Go2Tunnel network-tunneling utility. Kaspersky also notes that the activity overlaps with a cluster it associates with Eagle Werewolf.
Who Armored Likho is
According to Kaspersky, Armored Likho pursues two parallel goals: profit-driven attacks aimed at individuals, and cyber-espionage directed at organizations. Confirmed targets sit in Russia, Brazil, and Kazakhstan, with government and electric power entities singled out as primary objectives.
The group's malware stack is deliberately modular. As Kaspersky describes it, this layered approach lets the operators "maintain stealthy control of compromised hosts, exfiltrate credentials and other sensitive information, and dynamically deploy downloadable modules tailored to the victim's profile and the tasks at hand." In practice, that means the attackers can pull down only the components they need for a given victim.
How the attack works
Initial access relies primarily on spear-phishing. The emails carry archive attachments containing either executables or Windows shortcut (LNK) files. When a victim opens one, a decoy — a fake document — is shown on screen while the actual malware installs silently in the background.
Kaspersky observed two distinct delivery chains:
- Executable-based loader: An in-memory loader injected via the attached executable reaches out to GitHub repositories to fetch archives. Notably, those repositories held early development builds and test samples of the malware, suggesting the operators were staging tooling directly on the platform.
- LNK-based chain: When the shortcut file is opened, it displays a fake document as a lure while quietly downloading a Python 3.12 interpreter and an accompanying archive in the background — bringing the runtime the stealer needs along with the payload itself.
Inside BusySnake Stealer
The fetched archives include the Python-based infostealer Kaspersky names BusySnake Stealer. It is built with evasion in mind: it decrypts its own bytecode on demand when a function is invoked, re-encrypts it immediately afterward, and executes with no visible console window so it stays out of the user's view.
The stealer is organized around a set of handlers, each responsible for a specific capability. Kaspersky lists these as:
- Clipboard theft
- File enumeration
- Extraction of 64-character hexadecimal keys
- Document exfiltration
- Screenshot capture
- Screenshot archiving
- Persistence checks
- Command execution
Acting on instructions from its command-and-control (C&C) server, BusySnake Stealer can carry out a broad range of actions, including:
- Capturing screenshots
- Exfiltrating logged keystroke data
- Decrypting saved passwords from Chromium-based and Firefox browsers
- Extracting browser cookies
- Scraping the host for OTP (one-time password) keys
- Locating cryptocurrency wallets
- Harvesting Telegram sessions and credentials
- Establishing a reverse SSH tunnel
- Restarting RustDesk to capture user credentials
From Go2Tunnel to built-in tunneling
Earlier in its operations, Armored Likho leaned on the Go2Tunnel utility to stand up a reverse SSH tunnel for remote access. That capability has since been folded directly into BusySnake Stealer, which can now provide the operators with persistent remote access and interactive control over an infected machine without needing the separate tool.
Overlap with Eagle Werewolf
Kaspersky reports that Armored Likho's activity appears to overlap with operations attributed to Eagle Werewolf. That group was previously seen deploying a RAT called AquilaRAT, which shares a comparable structure and persistence mechanism with BusySnake Stealer — one of the signals tying the two clusters together.
Detection and mitigation notes
Kaspersky's writeup does not publish specific indicators of compromise such as hashes, IPs, or domains, so defenders should focus on the behaviors described above. Given the delivery chains outlined, worthwhile areas to monitor include:
- Inbound archive attachments containing executables or
.lnkfiles, and LNK files that spawn document viewers alongside network activity. - Unexpected downloads of a Python 3.12 interpreter or archives pulled from GitHub by non-developer endpoints.
- Anomalous use or restarts of RustDesk, and outbound reverse SSH tunnels originating from user workstations.
- Access to browser credential and cookie stores, clipboard scraping, and enumeration of cryptocurrency wallet and Telegram session data.
Because the group stages test builds and payloads on GitHub and relies on spear-phishing for entry, user awareness training against document-lure attachments combined with egress monitoring for tunneling traffic remains a practical first line of defense.