Kaspersky researchers have identified a new campaign by the Armored Likho (also known as Eagle Werewolf) APT group targeting government and energy sectors across Russia, Brazil, and Kazakhstan. The threat actor employs a sophisticated toolkit, most notably the newly discovered BusySnake Stealer, a Python-based infostealer designed to exfiltrate credentials, cookies, and sensitive documents while utilizing PyArmor for heavy obfuscation.
The campaign leverages AI-generated loaders and stagers to deliver payloads, complicating attribution and bypassing traditional security analysis. Beyond the primary stealer, the group utilizes modular components for reverse SSH tunneling and browser extension-based cookie theft. Their evolution shows a significant shift toward automated payload generation and complex execution chains, including memory-only script execution to maintain a stealthy footprint.
Top comments (0)