Armored Likho APT Targets Governments and Power Firms

Kaspersky reports Armored Likho uses spear-phishing and modular malware, including BusySnake Stealer, to target government and electric power organizations in Russia, Brazil and Kazakhstan.

Kaspersky recently reported that a newly identified advanced persistent threat actor known as Armored Likho has targeted government and electric power organizations in Russia, Brazil and Kazakhstan. The group has carried out both financially motivated attacks against individuals and espionage operations against organizations.

Kaspersky’s analysis shows the actor primarily uses spear-phishing emails with attached archives that contain executables or LNK shortcut files. When recipients open the attachments a decoy document appears while a loader runs in memory and retrieves additional components from public GitHub repositories, including early development builds and test samples. In some cases the LNK files trigger a background download of a Python 3.12 interpreter and an archive with the malicious payload.

A key tool in the actor’s toolkit is BusySnake Stealer, a Python-based infostealer. The stealer dynamically decrypts bytecode when a function is called and re-encrypts it immediately after. It runs without opening a visible console window and is modular, loading different handlers for specific tasks.

Handlers in BusySnake perform clipboard theft, file enumeration, extraction of 64-character hexadecimal keys, document exfiltration, screenshot capture and archiving, persistence checks and remote command execution. Commands from the actor’s command-and-control servers can prompt the malware to capture screenshots, collect keystrokes, decrypt stored passwords from Chromium-based and Firefox browsers, extract cookies, scrape one-time password keys, search for cryptocurrency wallets and harvest Telegram sessions and credentials.

The malware can establish a reverse SSH tunnel to provide persistent remote access and can restart legitimate remote-access software such as RustDesk to capture user credentials. Earlier campaigns used a separate tunneling tool called Go2Tunnel; Kaspersky found BusySnake has since incorporated similar tunneling functionality directly into the stealer.

Kaspersky noted some attack chains use a loader injected into memory to retrieve archives from public GitHub repositories. The use of LNK shortcuts that display fake documents while fetching and executing hidden components remains a common method for initial access.

Kaspersky also reported operational overlaps between Armored Likho and activity tracked as Eagle Werewolf. Earlier operations by the group deployed a RAT named AquilaRAT, which shares structural and persistence similarities with BusySnake. Kaspersky wrote that the malware enables the actor to maintain stealthy control of compromised hosts, exfiltrate credentials and other sensitive information, and deploy downloadable modules adapted to the victim and the task.

Articles by this author

No posts found.