216.73.216.170

Armored Likho's new weapon: BusySnake Stealer

· Published 03/07/2026 14:13

Export JSON

Essential information

Published
03/07/2026 14:13
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
aquilarat browser password extraction busysnake stealer credential theft electric power sector go2tunnel government targeting pyarmor obfuscation reverse ssh tunnel spear-phishing
Related entities
17 indicators, 14 observables, 1 intrusion sets (apt), 20 techniques (mitre), 3 malware

Description

Kaspersky uncovered a sophisticated phishing campaign by the APT group Armored Likho, deploying a previously undocumented Python-based infostealer dubbed BusySnake Stealer. The campaign targets government agencies and electric power sectors across Russia, Brazil, and Kazakhstan through emails containing malicious EXE or LNK attachments. BusySnake Stealer features advanced obfuscation using PyArmor Pro, extracts credentials from browsers using DPAPI and NSS libraries, captures screenshots, logs keystrokes, scrapes cryptocurrency wallets and 2FA tokens, and establishes reverse SSH tunnels for remote access. The threat actor leverages AI-generated code for first-stage payloads and distributes components via GitHub repositories. The stealer maintains persistence through scheduled tasks and communicates with C2 infrastructure to receive commands dynamically, representing a significant evolution in the group's technical capabilities.

External references