Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
NEWS

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

Kaspersky has identified a previously undocumented APT group — Armored Likho (aka Eagle Werewolf) — deploying an AI-assisted Python infostealer called...

Dylan H.

News Desk

July 4, 2026
5 min read

Kaspersky researchers have publicly named a previously undocumented threat actor — Armored Likho — behind an ongoing cyber-espionage campaign hitting government agencies and electric power operators across Russia, Kazakhstan, and Brazil. The group's primary weapon is a novel Python-based infostealer called BusySnake, which employs advanced encryption and AI-assisted development to evade detection and complicate forensic analysis.

The group substantially overlaps with a threat cluster tracked by Russian cybersecurity firm BI.ZONE under the name Eagle Werewolf, which has been documented active since at least May 2023.

A Dual-Track Threat Actor

What sets Armored Likho apart from most APT groups is its simultaneous operation of two distinct campaign types:

  1. Targeted espionage against critical national infrastructure — government agencies, electric power companies
  2. Financially motivated credential theft targeting private individuals for direct monetary gain

This blended model allows the group to maintain a wide operational footprint while keeping revenue flowing between major targeted campaigns.

BusySnake: A Python Stealer Built to Evade

The centerpiece of the group's toolkit is BusySnake Stealer, a previously unreported Python-based infostealer that targets Windows systems. Its capabilities include:

CapabilityDescription
Clipboard harvestingCaptures clipboard contents in real-time
ScreenshotsPeriodic screen captures for situational awareness
Browser credential theftSteals saved passwords and cookies from major browsers
Cryptocurrency wallet targetingSearches for and exfiltrates wallet files
Telegram session extractionSteals active Telegram session data
Reverse SSH tunnelsEstablishes persistent remote access for operators
C2 communicationAwaits operator instructions from command-and-control server

Advanced Obfuscation: PyArmor Pro

BusySnake's authors used PyArmor Pro to encrypt the bytecode. The implementation is notable: functions are decrypted only at the moment of invocation and immediately re-encrypted upon return. This on-call decryption model makes static analysis ineffective — there is no persistent decrypted form to analyze — and defeats many sandbox environments that rely on static pattern matching.

Kaspersky researchers observed that BusySnake persists on infected systems via VBScript and scheduled tasks configured to run every five minutes, using generic Windows-sounding names like WindowsHelper to blend in with legitimate system activity.

Attack Chain: From Phishing to Payload

The infection chain begins with carefully crafted spear-phishing emails using lures designed to mimic official government notices, social programs, and humanitarian forms. The emails deliver RAR archives containing one of two delivery mechanisms:

Option 1: NSIS-built EXE dropper
  └── Presents decoy document while extracting hidden loader
  └── Loader injects into benign process
  └── Downloads staged payload from rotating GitHub repositories
 
Option 2: Malicious LNK shortcut (CVE-2025-9491)
  └── Exploits Windows LNK parameter handling
  └── Executes first-stage loader on open
  └── Same GitHub-based staging infrastructure

Notably, the loaders themselves are retrieved from GitHub repositories under automated, rapidly rotating paths — a technique that makes infrastructure takedowns difficult and gives the actor plausible hosting deniability.

AI-Assisted Malware Development

One of the most significant findings from Kaspersky's analysis is evidence that Armored Likho is using large language models to generate first-stage loader code. Researchers identified loader samples containing:

  • Verbose inline comments unusual for operational malware
  • Bullet-point emojis embedded in source code
  • Redundant code blocks that serve no functional purpose

These stylistic patterns are highly consistent with LLM-generated output and inconsistent with human-authored malware. This represents one of the clearest documented examples of AI being used to lower the development barrier for APT-level tooling.

Attribution and Confidence

Kaspersky attributes the campaign to Armored Likho with medium confidence — meaning the attribution is supported by multiple converging indicators but lacks definitive proof such as an indictment or signals-intelligence corroboration. The group's TTP overlap with the Eagle Werewolf cluster tracked by BI.ZONE is substantial, suggesting these are two research teams tracking the same actor.

The group has not been attributed to a specific nation-state at this time.

Detection Guidance

Security teams defending government and energy sector networks should monitor for:

  • Scheduled tasks with generic Windows-sounding names (WindowsHelper, TaskHost) created outside normal software installations
  • Python 3.12 runtimes dropped into AppData paths — a strong indicator given the Python-based stealer
  • Outbound connections to GitHub raw content paths from endpoints (payload staging)
  • RAR archives delivered via email with EXE or LNK contents
  • Go2Tunnel activity — the group uses this tool for remote access and network tunneling
# Detect suspicious scheduled tasks (Windows)
schtasks /query /fo LIST /v | findstr /i "windowshelper taskmanager"
 
# Search for Python runtimes in AppData (PowerShell)
Get-ChildItem -Path $env:APPDATA -Recurse -Filter "python*.exe" -ErrorAction SilentlyContinue
 
# Check for outbound connections to raw.githubusercontent.com
netstat -ano | findstr "443"

References

  • Kaspersky Securelist — Armored Likho's New Weapon: BusySnake Stealer
  • The Hacker News — Armored Likho Targets Government Agencies, Power Sector
  • GBHackers — Armored Likho APT Deploys BusySnake Stealer
  • CyberPress — BusySnake Stealer Targets Browser Passwords, Cookies, Telegram Sessions
#Russia#Threat Intelligence#APT#Infostealer#AI Security#BusySnake

Related Articles

Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

Ukraine's SSU and the FBI have exposed a sustained Russian intelligence campaign using fake support SMS messages to steal Signal, WhatsApp, and Telegram...

5 min read

Russian APT Gamaredon Upgrades Its Arsenal, Requiring New Defenses

ESET research reveals FSB-sponsored Gamaredon has significantly upgraded its C2 infrastructure obfuscation and malware delivery capabilities, running 35...

3 min read

UK Cyberspying Chief Calls AI 'an Unstoppable Force' and Warns About Russia

UK signals-intel chief warns AI is reshaping threats as an unstoppable force while Russia escalates hostile gray-zone activity below open conflict.

5 min read
Back to all News