Kaspersky researchers have published new findings on Armored Likho, an advanced persistent threat actor whose campaigns blend financial motivation with cyber espionage objectives. The group — which overlaps with activity tracked as Eagle Werewolf — is actively targeting government organizations and electric power entities using modular remote access tools (RATs) and a sophisticated Python-based information stealer called BusySnake.
Target Profile
Armored Likho's current campaign focuses on two distinct target categories:
- Government organizations — ministries, public sector agencies, and government contractors
- Electric power entities — utilities, energy infrastructure operators, and power grid management systems
Geographic focus: Russia, Brazil, and Kazakhstan — suggesting the group operates across multiple jurisdictions and may be motivated by both geopolitical intelligence interests and financial opportunity.
Initial Access: Spear-Phishing
The group's primary infection vector is spear-phishing emails carrying malicious attachments. Targets receive emails with attached archives containing either executables or LNK shortcut files. When opened, these files:
- Display decoy documents (invoices, reports, official correspondence) to avoid suspicion
- Silently deploy malware to the victim's system in the background
The use of LNK files — Windows shortcut files — is a well-established technique for bypassing basic file-type filtering while triggering code execution.
Malware Arsenal
BusySnake Stealer (Primary Tool)
BusySnake is a Python-based information stealer with a notably sophisticated evasion mechanism: dynamic bytecode encryption. Functions within the malware are encrypted at rest and decrypted only at runtime during execution — frustrating static analysis tools and signature-based antivirus detection.
BusySnake's capabilities span a wide attack surface:
| Capability | Details |
|---|---|
| Credential theft | Extracts saved passwords from Chromium and Firefox browsers |
| Clipboard monitoring | Captures clipboard contents in real-time |
| Screenshot capture | Periodic screenshots of the victim's desktop |
| Keystroke logging | Records keystrokes for credential and message capture |
| OTP scraping | Targets one-time password keys from authenticator apps |
| Cryptocurrency wallets | Scans for and exfiltrates wallet files and seed phrases |
| Telegram session theft | Hijacks active Telegram desktop sessions |
| File enumeration | Maps the filesystem for valuable document types |
| Reverse SSH tunneling | Establishes persistent interactive access to the compromised host |
| RustDesk credential harvest | Extracts credentials from the RustDesk remote desktop client |
The reverse SSH tunnel capability is particularly significant — it provides attackers with a persistent interactive foothold that bypasses traditional firewall rules by initiating outbound connections.
Go2Tunnel (Previous RAT)
Earlier in the group's campaign cycle, Armored Likho deployed Go2Tunnel, a Go-language RAT that provided reverse SSH tunneling and network pivoting capabilities. Kaspersky notes that Go2Tunnel's functionality has since been absorbed into BusySnake, suggesting the group is consolidating its toolset into the Python-based stealer for improved operational efficiency.
Infrastructure: GitHub Staging
Armored Likho uses GitHub-hosted repositories for payload staging and distribution. This is a common technique among sophisticated threat actors — legitimate hosting platforms like GitHub provide:
- HTTPS traffic that blends with normal web traffic
- Reliable uptime without requiring attacker-controlled infrastructure
- Trusted domains that often bypass corporate web filtering
Organizations should monitor outbound connections to GitHub that do not originate from developer workstations or CI/CD pipelines.
Attribution and Overlaps
Armored Likho's activity overlaps with the Eagle Werewolf cluster tracked by other researchers. Kaspersky also notes structural similarities between BusySnake and AquilaRAT, an earlier tool attributed to related activity. The code reuse and shared persistence mechanisms suggest BusySnake is an evolved descendant of AquilaRAT rather than an entirely new project — indicating the threat actor has been active and continuously developing its toolset for an extended period.
Dual Motivation: Espionage and Financial
Unlike purely nation-state actors or purely financially motivated groups, Armored Likho appears to operate with dual objectives:
- Financial campaigns targeting individuals for credential theft, cryptocurrency theft, and account takeover
- Espionage campaigns targeting organizations — particularly government and critical infrastructure — for intelligence collection
This dual-use posture makes attribution and defensive prioritization more complex. The same toolset is used against both enterprise targets (for intelligence value) and individual victims (for financial return).
Detection and Defense
Indicators to Watch
- LNK files received as email attachments, especially in archive formats
- Outbound SSH connections to unexpected external hosts
- Python processes spawning from Office or archive applications
- GitHub API calls from endpoints that should not access developer platforms
Defensive Recommendations
- Block LNK and executable files at the email gateway — especially within archives
- Monitor for outbound SSH on non-standard ports from endpoints
- Deploy behavioral EDR capable of detecting dynamic bytecode execution patterns
- Restrict outbound GitHub access to known developer systems
- Enable multi-factor authentication on all accounts to reduce the impact of credential theft
Source: SecurityWeek — Armored Likho APT Targeting Government, Electric Power Entities