VYPR
researchPublished Jul 3, 2026· 1 source

Armored Likho APT Targets Government and Energy Sectors with AI-Generated BusySnake Stealer

A new advanced persistent threat group, Armored Likho, is actively targeting government and electric power entities in Russia, Brazil, and Kazakhstan with a sophisticated campaign utilizing a custom infostealer and AI-generated initial payloads.

A previously unknown advanced persistent threat (APT) group, identified as Armored Likho, has emerged with a targeted campaign focused on critical infrastructure and government entities across Russia, Brazil, and Kazakhstan. This group, also potentially known as Eagle Werewolf, exhibits a blend of financially motivated tactics and cyber-espionage, employing a diverse toolkit designed for stealth and evasion. Their operations are characterized by the use of custom-built modular RATs and infostealers, alongside simpler tools like Go2Tunnel for network tunneling, enabling persistent, covert access to compromised systems.

Central to this campaign is a newly documented information stealer dubbed BusySnake Stealer. Written in Python, this malware is specifically designed to target Windows systems and has been observed in multiple versions, including a dedicated module for stealing browser cookies. The sophistication of Armored Likho is further highlighted by their use of AI-generated initial payloads, such as loaders and stagers. This AI-driven approach complicates attribution efforts and analysis by introducing polymorphism and blurring the attackers' typical tactics, techniques, and procedures (TTPs).

The initial infection vector for Armored Likho heavily relies on spear-phishing emails. These emails are crafted with themes ranging from official government communications to social program announcements, aiming to trick recipients into opening malicious attachments. In a recent campaign, attackers distributed archives containing executables or LNK files disguised with names like "psychological test" or "humanitarian aid application," further enhancing their social engineering efforts.

One observed attack variant involves a dropper disguised as a "psychological test" executable. This dropper, built using the Nullsoft Scriptable Install System (NSIS), launches a decoy application presenting a fake psychological survey to disarm the victim. Once executed, it writes a legitimate-looking executable to disk and injects code into its memory to run a malicious loader. This loader then fetches additional payload archives from GitHub repositories, some of which contained early development builds of the malware, indicating an automated and rapid rotation of payloads and infrastructure.

Upon successful execution, the loader stages components in a dedicated directory, typically within the user's AppData folder. This package includes the core BusySnake Stealer (module.pyw), a Python interpreter, and scripts to manage dependencies and establish persistence. The malware installs necessary Python packages and then creates scheduled tasks to ensure the stealer runs repeatedly, often every five minutes, maintaining a constant presence on the compromised system.

In alternative attack chains, the malicious archive contains a LNK file. Armored Likho exploits a known shortcut vulnerability (ZDI-CAN-25373) to obscure the command-line parameters used for execution. When the LNK file is opened, it triggers an obfuscated PowerShell command that downloads and executes the primary loader. This loader, in turn, displays a decoy document—such as a fake humanitarian aid request or debt clearance certificate—while it initializes the environment for the next stage of the attack.

The campaign showcases several worrying trends in the threat landscape: the increasing technical proficiency of emerging APT groups, the pervasive use of polymorphic and AI-assisted tools to evade detection, and a strategic shift towards more complex infection chains. The combination of obfuscated Python code, embedded network mechanisms, and AI-generated components presents a significant challenge for security solutions.

Armored Likho's ability to blend financially motivated attacks with targeted espionage, coupled with their evolving and evasive toolset, positions them as a notable threat actor. Their focus on government and critical infrastructure sectors underscores the ongoing risks to national security and essential services, demanding heightened vigilance and advanced detection capabilities from defenders.

Synthesized by Vypr AI