A recently discovered advanced persistent threat (APT) actor has been targeting government and electric power organizations in multiple countries, Kaspersky reports.
Dubbed Armored Likho, the APT engages both in financially motivated attacks against individuals and in cyber-espionage operations against organizations in Russia, Brazil, and Kazakhstan.
The threat actor’s arsenal includes modular remote access trojans (RATs) and information stealers, including the Python-based BusySnake Stealer, and tools like Go2Tunnel for remote access and network tunneling.
“This diverse malware stack enables the threat actor to maintain stealthy control of compromised hosts, exfiltrate credentials and other sensitive information, and dynamically deploy downloadable modules tailored to the victim’s profile and the tasks at hand,” Kaspersky notes.
Armored Likho mainly relies on spear-phishing for initial access. Archives attached to its emails contain executables or LNK files that, once opened, display decoys while malware is being installed in the background.
A loader injected in memory via such an executable was seen fetching archives from GitHub repositories that contain early development builds and test samples of the malware. The LNK files display a fake document while a Python 3.12 interpreter and an archive are fetched in the background.
Among other components, the archives contain a Python-based infostealer that Kaspersky tracks as BusySnake Stealer. The malware packs multiple evasion techniques and dynamically decrypts bytecode when a function is called, encrypting it immediately after, and runs in the background without a console window.
The stealer relies on multiple handlers for various functions, such as clipboard theft, file enumeration, 64-character hexadecimal key extraction, document exfiltration, screenshot capture, screenshot archiving, persistence checks, and command execution.
Based on commands received from the command-and-control (C&C) server, the malware can capture screenshots, exfiltrate logged keystroke data, decrypt stored passwords from Chromium-based and Firefox browsers, extract cookies from browsers, scrape the machine for OTP keys, find cryptocurrency wallets, harvest Telegram sessions and credentials, establish a reverse SSH tunnel, and restart RustDesk to capture users’ credentials.
Before BusySnake Stealer, Armored Likho relied on Go2Tunnel to establish a reverse SSH tunnel, but has implemented the functionality into the infostealer, which can now provide the attackers with persistent remote access and interactive control over the victim’s system.
Armored Likho’s operations appear to overlap with Eagle Werewolf activity. Previously, the hacking group was seen using the AquilaRAT RAT, which shares a similar structure and persistence mechanism with BusySnake Stealer.
Related: Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets
Related: New ‘Mistic’ RAT Opens Door to Several Ransomware Families
Related: Hackers Target Global Stock Exchange in Espionage Operation
Related: Sophisticated Deep#Door Backdoor Enables Espionage, Disruption
Facts Only
* The threat actor is dubbed Armored Likho.
* The target organizations include government and electric power organizations in Russia, Brazil, and Kazakhstan.
* The actor engages in financially motivated attacks against individuals and cyber-espionage against organizations.
* The arsenal includes modular Remote Access Trojans (RATs) and information stealers, such as the Python-based BusySnake Stealer.
* Tools mentioned include Go2Tunnel for remote access and network tunneling.
* Initial access relies mainly on spear-phishing using archives containing executables or LNK files.
* A loader injected in memory fetched malware from GitHub repositories.
* The infostealer, BusySnake Stealer, performs functions such as clipboard theft, file enumeration, key extraction, document exfiltration, and screenshot capture.
* Malware captures screenshots, keystroke data, decrypts passwords, extracts cookies, scrapes OTP keys, finds cryptocurrency wallets, harvests Telegram sessions/credentials, establishes reverse SSH tunnels, and restarts RustDesk for credential capture.
* The infostealer now incorporates Go2Tunnel functionality for persistent remote access.
Executive Summary
An advanced persistent threat actor known as Armored Likho is targeting government and electric power organizations across Russia, Brazil, and Kazakhstan through financially motivated attacks and cyber-espionage. The threat actor utilizes a diverse malware arsenal, including modular Remote Access Trojans (RATs) and information stealers such as the Python-based BusySnake Stealer, alongside tools like Go2Tunnel for remote access and network tunneling.
Initial access is primarily achieved through spear-phishing, where archives attached to emails contain files that deploy malware via deception mechanisms. A loader injected into memory fetches malware components from GitHub repositories. Among these components is a Python infostealer, BusySnake Stealer, which employs multiple evasion techniques, dynamically decrypts bytecode, and operates without a console window.
The malicious software performs numerous functions, including capturing screenshots, exfiltrating keystroke data, decrypting browser passwords (Chromium and Firefox), harvesting cookies, scraping OTP keys, locating cryptocurrency wallets, stealing Telegram sessions, establishing reverse SSH tunnels, and restarting RustDesk to capture credentials. The actor has integrated Go2Tunnel functionality into the infostealer, allowing for persistent remote access and interactive system control. Prior to this integration, the actor used the AquilaRAT RAT, which shares structural similarities with BusySnake Stealer.
Full Take
The narrative details a sophisticated operational shift where a single threat actor integrates diverse, specialized tools into a cohesive exploitation chain. The transition from using a dedicated RAT like AquilaRAT to embedding functionalities within a general information stealer like BusySnake Stealer reflects an evolution toward maximizing persistence and minimizing forensic footprint—a pattern often seen in highly resourced APTs attempting long-term operational goals. The deployment of dynamic decryption, multi-handler functionality for data exfiltration, and integration of tunneling capabilities demonstrates a focus not just on initial access but on maintaining continuous, interactive control over the compromised environment.
The core implication is the monetization and sophisticated infrastructure backing these operations targets critical national infrastructure across distinct geopolitical regions. When examining the operational overlap with other groups, such as Eagle Werewolf, it suggests potential shared tradecraft or a common tactical baseline among specific threat communities focusing on espionage for state interests. The focus on capturing highly specific data—browser credentials, OTP keys, and cryptocurrency wallet information—suggests that the primary objective is not merely disruption but systemic financial leverage derived from deep intelligence gathering against high-value governmental entities.
The system leverages multi-stage delivery (phishing $\rightarrow$ loader $\rightarrow$ dynamic module fetching) alongside post-exploitation capabilities (keylogging, tunneling). This layered approach implies a deliberate design to ensure that even if one component is discovered and mitigated, the established backdoors and data exfiltration pathways remain operational. Questions arise regarding the scale of intelligence derived versus the operational security applied; if the integration of functionalities like Go2Tunnel into the stealer proves to be a standard practice across this group, it suggests an evolving methodology aimed at efficiency rather than novelty. What resources are allocated to maintaining this dynamic code base, and how does this specific toolset compare against known patterns for long-term state-sponsored espionage versus financially motivated crime?
