HomeCyber BalkansArmored Likho APT Targets Government and Power Sector with BusySnake Stealer Deployment

Armored Likho APT Targets Government and Power Sector with BusySnake Stealer Deployment

Published on

spot_img

Emerging Phishing Campaign Unveils New Threat: Armored Likho

A newly discovered advanced persistent threat (APT), dubbed Armored Likho (with the provisional alias Eagle Werewolf), is reportedly conducting a highly targeted phishing campaign. This operation is primarily focused on infiltrating government agencies and the electric power sector across several nations, including Russia, Brazil, and Kazakhstan. The group exhibits a diverse and evolving toolkit that integrates both commonly available and custom-developed tools to facilitate activities ranging from financially motivated cybercrime to more sophisticated cyber-espionage campaigns.

Initial access into targeted systems is largely achieved through spear-phishing emails designed with social engineering tactics. These emails typically contain archived attachments that serve as delivery mechanisms for the malicious payload. Two significant delivery methods have emerged: one involving executable droppers built using the Nullsoft Scriptable Install System (NSIS), and another using malicious LNK shortcuts, which take advantage of specific vulnerabilities in how Windows processes .lnk files.

In the executable variant, cybercriminals often disguise their malicious software with a decoy, such as a seemingly innocuous psychological survey. Once executed, this decoy not only manipulates the user but also extracts and runs a hidden loader. This loader subsequently injects code into benign processes, allowing it to retrieve staged payloads from remote GitHub repositories through rapidly changing paths. Notably, the repositories serve as a source for developer builds and test samples, empowering the attackers to refine their payloads and transition their infrastructure swiftly.

Additionally, alternate campaigns utilize crafted LNK files that obscure execution parameters—this follows public coverage of a recent disclosure relating to LNK file vulnerabilities (ZDI-CAN-25373). According to a report from Securelist, the ongoing campaign also showcases a newly identified Python-based infostealer, known as BusySnake Stealer, which incorporates modular Remote Access Trojan (RAT) capabilities, network tunneling utilities like Go2Tunnel, and AI-assisted payload generation techniques. These advancements complicate the task of attribution and detection for cybersecurity teams.

In one variant of their attack, the archive file is named psihologicheskiy_test.exe, a self-extracting archive created with NSIS. When executed via the shortcut, it triggers an obfuscated PowerShell chain that downloads and activates a loader from the same family. This loader pulls in a packaged Python 3.12 runtime, a PyArmor-protected payload archive, and the get-pip.py script to install necessary dependencies for the malware to operate seamlessly.

Both primary methods lead to the deployment of BusySnake Stealer, which the group employs consistently using VBScript and scheduled tasks set to execute every five minutes. This stealer maintains an active connection with a command and control (C2) server, ready to receive new instructions during its operational runtime. The core functionality of this malware hinges on a poll_task feature that engages in a continuous polling loop with the C2 server for additional commands.

Designed for stealth and operational flexibility, BusySnake Stealer is fortified with PyArmor Pro 9.2.0, where its bytecode is dynamically decrypted only when called and is re-encrypted immediately afterward. Furthermore, its main payload operates as a .pyw script, strategically avoiding the appearance of a console window during execution.

Analysis of stripped malware samples reveals an intricate handler-based architecture, incorporating features such as single-instance locking through a custom algorithm, and ongoing clipboard harvesting to extract sensitive information. The malware systematically inventories user files into a local SQLite database while scanning for specific 64-character hex keys. It enacts selective data exfiltration based on size and path filters, captures screenshots, and maintains continuous communication with the C2 server.

Commands exchanged between the malware and its C2 server are executed utilizing simple HTTP GET requests, mimicking browser-like User-Agent behavior, thereby providing instructions to compromised hosts. The remote commands available to the attacker include comprehensive theft of credentials and cookies from browsers like Chromium and Firefox, including the implementation of decryption routines to facilitate access to stored sensitive information. Additionally, functionalities such as the installation of browser extensions for cookie extraction, clipboard monitoring for OTP and key scraping, and the exfiltration of Telegram session data highlight the malware’s extensive capabilities.

Notably, the threat actor also enables reverse SSH tunneling on demand and manipulates RustDesk installations to capture any re-entered credentials effectively. A key operational characteristic of Armored Likho is its innovative use of AI to generate loaders and to create verbose comments within source code—these comments exhibit anomalies consistent with development assisted by large language models (LLMs).

The technical maturity and evasion sophistication displayed by this emerging threat group are underscored by their use of polymorphism—demonstrated in multiple builds of BusySnake and cookie-focused modules—all of which contribute to the rapid and effective distribution of malicious payloads via public code-hosting platforms. Given these developments, cybersecurity defenders are urged to prioritize several mitigation strategies. Key recommendations include hardening email gateways, enforcing strict policies regarding macro and LNK file handling, investing in robust endpoint detection mechanisms tailored to identify Python runtimes and PyArmor artifacts, and monitoring for unusual patterns related to scheduled tasks or GitHub fetch operations.

By recognizing and understanding the tactics employed by this newly identified threat group, organizations can bolster their defenses against this evolving cybersecurity landscape.

Source link

Latest articles

Governance in the Era of AI: Finding One’s Way Through the Mirror Maze

Security Leaders Urged to Establish Guidelines and Embrace AI Opportunities By Moona Ederveen-Schneider July 2, 2026 In...

Interpol-Inspired Ransomware Attack Aims at SMBs

Ransomware Campaign Targets Small Businesses Worldwide Using Fake Interpol Emails A troubling ransomware campaign has...

The Elephants in the Tech Room

The Challenges Facing IT and Security Teams in the Age of Shadow Technology By Krishna...

Parrot 7.3 Released with New Menu System and Improved Daily Usability

Parrot 7.3 Released: A Focus on Refinement and Usability In a strategic move, the Parrot...

More like this

Governance in the Era of AI: Finding One’s Way Through the Mirror Maze

Security Leaders Urged to Establish Guidelines and Embrace AI Opportunities By Moona Ederveen-Schneider July 2, 2026 In...

Interpol-Inspired Ransomware Attack Aims at SMBs

Ransomware Campaign Targets Small Businesses Worldwide Using Fake Interpol Emails A troubling ransomware campaign has...

The Elephants in the Tech Room

The Challenges Facing IT and Security Teams in the Age of Shadow Technology By Krishna...