Posted in

Armored Likho Deploys BusySnake Stealer in Advanced Cyber Espionage Campaigns

A previously undocumented threat actor known as Armored Likho has been linked to a series of cyberattacks targeting government agencies and organizations in the energy sector across Russia, Brazil, and Kazakhstan.

Security researchers describe the group as operating with dual objectives—conducting financially motivated attacks against individuals while also carrying out targeted cyber espionage campaigns against organizations. Its toolkit includes modular remote access trojans (RATs), information stealers, and advanced evasion techniques designed to avoid security analysis.

Hybrid Cybercrime and Espionage Operations

Armored Likho combines credential theft, long-term persistence, and remote access capabilities to compromise victims and maintain control over infected systems.

The threat actor is also known to use Go2Tunnel, a tool that creates reverse SSH tunnels for secure communication with command-and-control (C2) servers. This enables attackers to remotely manage compromised devices while bypassing network restrictions.

Researchers believe Armored Likho shares operational similarities with a threat cluster known as Eagle Werewolf, which has been active since 2023 and has previously targeted government, defense, and drone development organizations.

Past campaigns linked to Eagle Werewolf involved malicious droppers, remote access trojans, SSH tunneling utilities, and even compromised Telegram channels to distribute malware disguised as legitimate files.

BusySnake Stealer Emerges as a New Malware Threat

One of the most significant discoveries is a previously undocumented Python-based information stealer called BusySnake Stealer, which targets Windows systems.

The malware is capable of stealing browser cookies and other sensitive information while using multiple anti-analysis techniques to make detection and reverse engineering more difficult.

Its exact origin remains unknown.

Phishing Emails Deliver the Initial Payload

The attacks typically begin with spear-phishing emails impersonating official government communications or social assistance programs.

Victims receive a RAR archive containing executable files that function as malware droppers. These droppers download additional payloads from a GitHub repository, including BusySnake.

To maintain persistence, the malware creates Visual Basic Script (VBScript) files and scheduled tasks that automatically relaunch the stealer while simultaneously removing traces of the initial infection.

Windows Shortcut Vulnerability Also Exploited

In some campaigns, attackers replace executable droppers with malicious Windows shortcut (LNK) files.

These attacks exploit CVE-2025-9491, a Windows shortcut vulnerability that allowed remote code execution before Microsoft released a security update in November 2025.

The malicious shortcut executes an obfuscated PowerShell command that launches a loader, displays a decoy document to distract the victim, and silently installs BusySnake in the background.

Persistence is once again established through scheduled tasks and VBScript components.

BusySnake’s Capabilities

BusySnake includes a broad set of surveillance and data theft features designed for long-term access.

Its core functionality includes:

  • Stealing clipboard contents.
  • Enumerating files and recording metadata.
  • Uploading user documents to remote servers.
  • Capturing periodic screenshots.
  • Compressing collected screenshots before exfiltration.
  • Preventing multiple malware instances from running simultaneously.
  • Maintaining persistence using scheduled tasks and VBScript.

The malware also accepts commands from its C2 server that allow it to:

  • Record keystrokes.
  • Steal cryptocurrency wallet files.
  • Collect Telegram session data and saved credentials.
  • Extract browser cookies and stored passwords.
  • Establish reverse SSH tunnels using Go2Tunnel.
  • Install RustDesk for remote desktop access.

If RustDesk is already present on a compromised system, BusySnake launches the application and tricks victims into entering their credentials. It then captures a screenshot of the login window and sends it to the attackers.

Strong Focus on Evasion

BusySnake employs advanced obfuscation techniques to avoid detection.

Instead of keeping its code permanently decrypted in memory, the malware decrypts only the specific function being executed and immediately re-encrypts it afterward.

It also runs silently in the background using Python’s .PYW format, preventing a console window from appearing and making its activity less noticeable to users.

New Version Introduces Task Management Framework

Researchers have also identified a newer version of BusySnake featuring an upgraded task management system.

Instead of executing commands immediately, the malware now tracks each assigned operation using statuses such as:

  • Scheduled
  • In Progress
  • Succeeded
  • Failed

This provides attackers with better visibility into completed tasks and improves command execution reliability.

Links to Eagle Werewolf

The suspected relationship between Armored Likho and Eagle Werewolf is based on several technical similarities.

Researchers observed comparable methods for:

  • Command-and-control communications.
  • Scheduled task persistence.
  • Remote SSH tunneling.
  • Malware task handling.
  • Overall attack workflow.

These shared characteristics suggest either a common developer, shared tooling, or close operational collaboration.

AI May Be Assisting Malware Development

Researchers also found evidence suggesting that some of the loaders and staging components may have been created with the assistance of artificial intelligence.

Indicators include redundant code blocks, repetitive comments, and programming patterns commonly associated with AI-generated code.

While AI involvement does not necessarily indicate a highly sophisticated threat actor, it highlights how modern development tools are reducing the time and expertise required to build advanced malware.

Final Thoughts

Armored Likho represents an increasingly sophisticated threat that blends cyber espionage with financially motivated attacks. By combining phishing campaigns, modular malware, credential theft, reverse SSH tunneling, and advanced evasion techniques, the group demonstrates how modern attackers are evolving beyond traditional malware deployment.

The emergence of BusySnake Stealer and the apparent use of AI-assisted development further illustrate the changing cyber threat landscape, where increasingly capable malware can be produced more quickly and deployed against a broader range of targets.

Leave a Reply

Your email address will not be published. Required fields are marked *