Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Armored Likho APT Targeting Government and Electric Power Entities
Armored Likho APT Targeting Government and Electric Power Entities
NEWS

Armored Likho APT Targeting Government and Electric Power Entities

Kaspersky researchers have detailed a new campaign by Armored Likho — a threat actor overlapping with Eagle Werewolf — deploying modular RATs and the sophisticated BusySnake infostealer against government organizations and electric power utilities across Russia, Brazil, and Kazakhstan.

Dylan H.

News Desk

July 6, 2026
5 min read

Kaspersky researchers have published new findings on Armored Likho, an advanced persistent threat actor whose campaigns blend financial motivation with cyber espionage objectives. The group — which overlaps with activity tracked as Eagle Werewolf — is actively targeting government organizations and electric power entities using modular remote access tools (RATs) and a sophisticated Python-based information stealer called BusySnake.

Target Profile

Armored Likho's current campaign focuses on two distinct target categories:

  • Government organizations — ministries, public sector agencies, and government contractors
  • Electric power entities — utilities, energy infrastructure operators, and power grid management systems

Geographic focus: Russia, Brazil, and Kazakhstan — suggesting the group operates across multiple jurisdictions and may be motivated by both geopolitical intelligence interests and financial opportunity.

Initial Access: Spear-Phishing

The group's primary infection vector is spear-phishing emails carrying malicious attachments. Targets receive emails with attached archives containing either executables or LNK shortcut files. When opened, these files:

  1. Display decoy documents (invoices, reports, official correspondence) to avoid suspicion
  2. Silently deploy malware to the victim's system in the background

The use of LNK files — Windows shortcut files — is a well-established technique for bypassing basic file-type filtering while triggering code execution.

Malware Arsenal

BusySnake Stealer (Primary Tool)

BusySnake is a Python-based information stealer with a notably sophisticated evasion mechanism: dynamic bytecode encryption. Functions within the malware are encrypted at rest and decrypted only at runtime during execution — frustrating static analysis tools and signature-based antivirus detection.

BusySnake's capabilities span a wide attack surface:

CapabilityDetails
Credential theftExtracts saved passwords from Chromium and Firefox browsers
Clipboard monitoringCaptures clipboard contents in real-time
Screenshot capturePeriodic screenshots of the victim's desktop
Keystroke loggingRecords keystrokes for credential and message capture
OTP scrapingTargets one-time password keys from authenticator apps
Cryptocurrency walletsScans for and exfiltrates wallet files and seed phrases
Telegram session theftHijacks active Telegram desktop sessions
File enumerationMaps the filesystem for valuable document types
Reverse SSH tunnelingEstablishes persistent interactive access to the compromised host
RustDesk credential harvestExtracts credentials from the RustDesk remote desktop client

The reverse SSH tunnel capability is particularly significant — it provides attackers with a persistent interactive foothold that bypasses traditional firewall rules by initiating outbound connections.

Go2Tunnel (Previous RAT)

Earlier in the group's campaign cycle, Armored Likho deployed Go2Tunnel, a Go-language RAT that provided reverse SSH tunneling and network pivoting capabilities. Kaspersky notes that Go2Tunnel's functionality has since been absorbed into BusySnake, suggesting the group is consolidating its toolset into the Python-based stealer for improved operational efficiency.

Infrastructure: GitHub Staging

Armored Likho uses GitHub-hosted repositories for payload staging and distribution. This is a common technique among sophisticated threat actors — legitimate hosting platforms like GitHub provide:

  • HTTPS traffic that blends with normal web traffic
  • Reliable uptime without requiring attacker-controlled infrastructure
  • Trusted domains that often bypass corporate web filtering

Organizations should monitor outbound connections to GitHub that do not originate from developer workstations or CI/CD pipelines.

Attribution and Overlaps

Armored Likho's activity overlaps with the Eagle Werewolf cluster tracked by other researchers. Kaspersky also notes structural similarities between BusySnake and AquilaRAT, an earlier tool attributed to related activity. The code reuse and shared persistence mechanisms suggest BusySnake is an evolved descendant of AquilaRAT rather than an entirely new project — indicating the threat actor has been active and continuously developing its toolset for an extended period.

Dual Motivation: Espionage and Financial

Unlike purely nation-state actors or purely financially motivated groups, Armored Likho appears to operate with dual objectives:

  • Financial campaigns targeting individuals for credential theft, cryptocurrency theft, and account takeover
  • Espionage campaigns targeting organizations — particularly government and critical infrastructure — for intelligence collection

This dual-use posture makes attribution and defensive prioritization more complex. The same toolset is used against both enterprise targets (for intelligence value) and individual victims (for financial return).

Detection and Defense

Indicators to Watch

  • LNK files received as email attachments, especially in archive formats
  • Outbound SSH connections to unexpected external hosts
  • Python processes spawning from Office or archive applications
  • GitHub API calls from endpoints that should not access developer platforms

Defensive Recommendations

  1. Block LNK and executable files at the email gateway — especially within archives
  2. Monitor for outbound SSH on non-standard ports from endpoints
  3. Deploy behavioral EDR capable of detecting dynamic bytecode execution patterns
  4. Restrict outbound GitHub access to known developer systems
  5. Enable multi-factor authentication on all accounts to reduce the impact of credential theft

Source: SecurityWeek — Armored Likho APT Targeting Government, Electric Power Entities

#APT#Nation-State#Malware#Infostealer#Critical Infrastructure

Related Articles

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

A Chinese-speaking advanced persistent threat actor has launched targeted attacks against government entities and critical infrastructure in Southeast...

6 min read

Google Exposes China Espionage Group UNC6508 Lurking in Networks Since 2023

Google's Threat Intelligence Group has unmasked UNC6508, a China-linked espionage actor that silently maintained access to critical infrastructure and...

5 min read

Iranian APT Targets Aviation, Software Companies With

Nimbus Manticore, an Iranian advanced persistent threat group, has continued operations targeting aviation and software companies during and after the US.

4 min read
Back to all News