{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/armored-likho/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Armored Likho"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["apt","infostealer","phishing","python","windows","government","energy"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe newly identified Armored Likho APT group is actively targeting government agencies and electric power organizations across Russia, Kazakhstan, and Brazil through an extensive spear-phishing operation. Observed by Kaspersky researchers, this group deploys a sophisticated malware toolkit, including the Python-based BusySnake Stealer, augmented by AI-generated loaders designed to obscure their operational footprint and complicate attribution. The primary objective of these attacks is cyber-espionage, focusing on credential harvesting and maintaining long-term access to critical infrastructure environments. The campaign, which shows no signs of slowing down, began with spear-phishing messages distributing malicious attachments that ultimately lead to the installation of the BusySnake payload, facilitating comprehensive data exfiltration and remote access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eArmored Likho initiates attacks via spear-phishing messages with lure themes such as official government notices, humanitarian aid applications, or psychological tests.\u003c/li\u003e\n\u003cli\u003eEmails contain malicious archive attachments, delivered either as Nullsoft Scriptable Install System (NSIS)-built EXE droppers or malicious LNK shortcuts.\u003c/li\u003e\n\u003cli\u003eIf the victim opens an NSIS EXE dropper, it launches a legitimate process and injects a malicious loader code.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the victim opens a malicious LNK shortcut, it executes an obfuscated PowerShell command.\u003c/li\u003e\n\u003cli\u003eThe PowerShell command or injected loader downloads required Python components and the BusySnake payload from GitHub-hosted archives.\u003c/li\u003e\n\u003cli\u003eThe loader establishes persistence on the compromised device, often creating a scheduled task named \u003ccode\u003eWindowsHelper\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBusySnake Stealer then actively logs clipboard contents, harvests browser cookies, pulls session tokens from Telegram, captures screenshots, scrapes two-factor authentication secrets, and searches for cryptocurrency wallets, exfiltrating this sensitive data.\u003c/li\u003e\n\u003cli\u003eAttackers establish reverse SSH tunneling to maintain remote access, manually inspect systems, and pull additional targeted files after initial infection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Armored Likho group's activities have a severe impact on targeted government and energy organizations in Russia, Kazakhstan, and Brazil. Successful compromises lead to the exfiltration of credentials, sensitive documents, and other high-value data, enabling long-term espionage and unauthorized access to critical infrastructure. The BusySnake Stealer comprehensively collects clipboard data, browser cookies, Telegram session tokens, screenshots, two-factor authentication secrets, and cryptocurrency wallet information. The establishment of reverse SSH tunnels grants attackers persistent remote access, allowing for ongoing surveillance, data collection, and manual exfiltration, potentially disrupting operations or compromising national security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious LNK execution and scheduled task creation.\u003c/li\u003e\n\u003cli\u003eImplement email security solutions capable of detecting and blocking spear-phishing attempts, particularly those with malicious archive attachments.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003epowershell.exe\u003c/code\u003e process creation and network connections for unusual activity, especially outbound connections to file hosting services like GitHub.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture \u003ccode\u003eschtasks.exe\u003c/code\u003e command lines and PowerShell activity for deeper forensic analysis.\u003c/li\u003e\n\u003cli\u003eRegularly educate users on identifying spear-phishing emails and reporting suspicious messages, emphasizing the dangers of opening unexpected attachments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:38:38Z","date_published":"2026-07-08T14:38:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-armored-likho-busysnake/","summary":"The Armored Likho APT group is conducting a spear-phishing campaign against government and energy sectors in Russia, Kazakhstan, and Brazil, using AI-generated loaders and the Python-based BusySnake Stealer to exfiltrate credentials and sensitive data.","title":"Armored Likho APT Leverages BusySnake Stealer with AI-Generated Loaders and Phishing","url":"https://feed.craftedsignal.io/briefs/2026-07-armored-likho-busysnake/"}],"language":"en","title":"CraftedSignal Threat Feed - Armored Likho","version":"https://jsonfeed.org/version/1.1"}