<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Armored Likho - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/armored-likho/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 14:38:38 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/armored-likho/feed.xml" rel="self" type="application/rss+xml"/><item><title>Armored Likho APT Leverages BusySnake Stealer with AI-Generated Loaders and Phishing</title><link>https://feed.craftedsignal.io/briefs/2026-07-armored-likho-busysnake/</link><pubDate>Wed, 08 Jul 2026 14:38:38 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-armored-likho-busysnake/</guid><description>The Armored Likho APT group is conducting a spear-phishing campaign against government and energy sectors in Russia, Kazakhstan, and Brazil, using AI-generated loaders and the Python-based BusySnake Stealer to exfiltrate credentials and sensitive data.</description><content:encoded><![CDATA[<p>The newly identified Armored Likho APT group is actively targeting government agencies and electric power organizations across Russia, Kazakhstan, and Brazil through an extensive spear-phishing operation. Observed by Kaspersky researchers, this group deploys a sophisticated malware toolkit, including the Python-based BusySnake Stealer, augmented by AI-generated loaders designed to obscure their operational footprint and complicate attribution. The primary objective of these attacks is cyber-espionage, focusing on credential harvesting and maintaining long-term access to critical infrastructure environments. The campaign, which shows no signs of slowing down, began with spear-phishing messages distributing malicious attachments that ultimately lead to the installation of the BusySnake payload, facilitating comprehensive data exfiltration and remote access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Armored Likho initiates attacks via spear-phishing messages with lure themes such as official government notices, humanitarian aid applications, or psychological tests.</li>
<li>Emails contain malicious archive attachments, delivered either as Nullsoft Scriptable Install System (NSIS)-built EXE droppers or malicious LNK shortcuts.</li>
<li>If the victim opens an NSIS EXE dropper, it launches a legitimate process and injects a malicious loader code.</li>
<li>Alternatively, if the victim opens a malicious LNK shortcut, it executes an obfuscated PowerShell command.</li>
<li>The PowerShell command or injected loader downloads required Python components and the BusySnake payload from GitHub-hosted archives.</li>
<li>The loader establishes persistence on the compromised device, often creating a scheduled task named <code>WindowsHelper</code>.</li>
<li>BusySnake Stealer then actively logs clipboard contents, harvests browser cookies, pulls session tokens from Telegram, captures screenshots, scrapes two-factor authentication secrets, and searches for cryptocurrency wallets, exfiltrating this sensitive data.</li>
<li>Attackers establish reverse SSH tunneling to maintain remote access, manually inspect systems, and pull additional targeted files after initial infection.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The Armored Likho group's activities have a severe impact on targeted government and energy organizations in Russia, Kazakhstan, and Brazil. Successful compromises lead to the exfiltration of credentials, sensitive documents, and other high-value data, enabling long-term espionage and unauthorized access to critical infrastructure. The BusySnake Stealer comprehensively collects clipboard data, browser cookies, Telegram session tokens, screenshots, two-factor authentication secrets, and cryptocurrency wallet information. The establishment of reverse SSH tunnels grants attackers persistent remote access, allowing for ongoing surveillance, data collection, and manual exfiltration, potentially disrupting operations or compromising national security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious LNK execution and scheduled task creation.</li>
<li>Implement email security solutions capable of detecting and blocking spear-phishing attempts, particularly those with malicious archive attachments.</li>
<li>Monitor <code>powershell.exe</code> process creation and network connections for unusual activity, especially outbound connections to file hosting services like GitHub.</li>
<li>Enable Sysmon process-creation logging to capture <code>schtasks.exe</code> command lines and PowerShell activity for deeper forensic analysis.</li>
<li>Regularly educate users on identifying spear-phishing emails and reporting suspicious messages, emphasizing the dangers of opening unexpected attachments.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>apt</category><category>infostealer</category><category>phishing</category><category>python</category><category>windows</category><category>government</category><category>energy</category></item></channel></rss>