Kaspersky researchers have publicly named a previously undocumented threat actor — Armored Likho — behind an ongoing cyber-espionage campaign hitting government agencies and electric power operators across Russia, Kazakhstan, and Brazil. The group's primary weapon is a novel Python-based infostealer called BusySnake, which employs advanced encryption and AI-assisted development to evade detection and complicate forensic analysis.
The group substantially overlaps with a threat cluster tracked by Russian cybersecurity firm BI.ZONE under the name Eagle Werewolf, which has been documented active since at least May 2023.
A Dual-Track Threat Actor
What sets Armored Likho apart from most APT groups is its simultaneous operation of two distinct campaign types:
- Targeted espionage against critical national infrastructure — government agencies, electric power companies
- Financially motivated credential theft targeting private individuals for direct monetary gain
This blended model allows the group to maintain a wide operational footprint while keeping revenue flowing between major targeted campaigns.
BusySnake: A Python Stealer Built to Evade
The centerpiece of the group's toolkit is BusySnake Stealer, a previously unreported Python-based infostealer that targets Windows systems. Its capabilities include:
| Capability | Description |
|---|---|
| Clipboard harvesting | Captures clipboard contents in real-time |
| Screenshots | Periodic screen captures for situational awareness |
| Browser credential theft | Steals saved passwords and cookies from major browsers |
| Cryptocurrency wallet targeting | Searches for and exfiltrates wallet files |
| Telegram session extraction | Steals active Telegram session data |
| Reverse SSH tunnels | Establishes persistent remote access for operators |
| C2 communication | Awaits operator instructions from command-and-control server |
Advanced Obfuscation: PyArmor Pro
BusySnake's authors used PyArmor Pro to encrypt the bytecode. The implementation is notable: functions are decrypted only at the moment of invocation and immediately re-encrypted upon return. This on-call decryption model makes static analysis ineffective — there is no persistent decrypted form to analyze — and defeats many sandbox environments that rely on static pattern matching.
Kaspersky researchers observed that BusySnake persists on infected systems via VBScript and scheduled tasks configured to run every five minutes, using generic Windows-sounding names like WindowsHelper to blend in with legitimate system activity.
Attack Chain: From Phishing to Payload
The infection chain begins with carefully crafted spear-phishing emails using lures designed to mimic official government notices, social programs, and humanitarian forms. The emails deliver RAR archives containing one of two delivery mechanisms:
Option 1: NSIS-built EXE dropper
└── Presents decoy document while extracting hidden loader
└── Loader injects into benign process
└── Downloads staged payload from rotating GitHub repositories
Option 2: Malicious LNK shortcut (CVE-2025-9491)
└── Exploits Windows LNK parameter handling
└── Executes first-stage loader on open
└── Same GitHub-based staging infrastructureNotably, the loaders themselves are retrieved from GitHub repositories under automated, rapidly rotating paths — a technique that makes infrastructure takedowns difficult and gives the actor plausible hosting deniability.
AI-Assisted Malware Development
One of the most significant findings from Kaspersky's analysis is evidence that Armored Likho is using large language models to generate first-stage loader code. Researchers identified loader samples containing:
- Verbose inline comments unusual for operational malware
- Bullet-point emojis embedded in source code
- Redundant code blocks that serve no functional purpose
These stylistic patterns are highly consistent with LLM-generated output and inconsistent with human-authored malware. This represents one of the clearest documented examples of AI being used to lower the development barrier for APT-level tooling.
Attribution and Confidence
Kaspersky attributes the campaign to Armored Likho with medium confidence — meaning the attribution is supported by multiple converging indicators but lacks definitive proof such as an indictment or signals-intelligence corroboration. The group's TTP overlap with the Eagle Werewolf cluster tracked by BI.ZONE is substantial, suggesting these are two research teams tracking the same actor.
The group has not been attributed to a specific nation-state at this time.
Detection Guidance
Security teams defending government and energy sector networks should monitor for:
- Scheduled tasks with generic Windows-sounding names (
WindowsHelper,TaskHost) created outside normal software installations - Python 3.12 runtimes dropped into
AppDatapaths — a strong indicator given the Python-based stealer - Outbound connections to GitHub raw content paths from endpoints (payload staging)
- RAR archives delivered via email with EXE or LNK contents
- Go2Tunnel activity — the group uses this tool for remote access and network tunneling
# Detect suspicious scheduled tasks (Windows)
schtasks /query /fo LIST /v | findstr /i "windowshelper taskmanager"
# Search for Python runtimes in AppData (PowerShell)
Get-ChildItem -Path $env:APPDATA -Recurse -Filter "python*.exe" -ErrorAction SilentlyContinue
# Check for outbound connections to raw.githubusercontent.com
netstat -ano | findstr "443"