Skip to content
Threat Feed
high threat

Armored Likho APT Leverages BusySnake Stealer with AI-Generated Loaders and Phishing

The Armored Likho APT group is conducting a spear-phishing campaign against government and energy sectors in Russia, Kazakhstan, and Brazil, using AI-generated loaders and the Python-based BusySnake Stealer to exfiltrate credentials and sensitive data.

The newly identified Armored Likho APT group is actively targeting government agencies and electric power organizations across Russia, Kazakhstan, and Brazil through an extensive spear-phishing operation. Observed by Kaspersky researchers, this group deploys a sophisticated malware toolkit, including the Python-based BusySnake Stealer, augmented by AI-generated loaders designed to obscure their operational footprint and complicate attribution. The primary objective of these attacks is cyber-espionage, focusing on credential harvesting and maintaining long-term access to critical infrastructure environments. The campaign, which shows no signs of slowing down, began with spear-phishing messages distributing malicious attachments that ultimately lead to the installation of the BusySnake payload, facilitating comprehensive data exfiltration and remote access.

Attack Chain

  1. Armored Likho initiates attacks via spear-phishing messages with lure themes such as official government notices, humanitarian aid applications, or psychological tests.
  2. Emails contain malicious archive attachments, delivered either as Nullsoft Scriptable Install System (NSIS)-built EXE droppers or malicious LNK shortcuts.
  3. If the victim opens an NSIS EXE dropper, it launches a legitimate process and injects a malicious loader code.
  4. Alternatively, if the victim opens a malicious LNK shortcut, it executes an obfuscated PowerShell command.
  5. The PowerShell command or injected loader downloads required Python components and the BusySnake payload from GitHub-hosted archives.
  6. The loader establishes persistence on the compromised device, often creating a scheduled task named WindowsHelper.
  7. BusySnake Stealer then actively logs clipboard contents, harvests browser cookies, pulls session tokens from Telegram, captures screenshots, scrapes two-factor authentication secrets, and searches for cryptocurrency wallets, exfiltrating this sensitive data.
  8. Attackers establish reverse SSH tunneling to maintain remote access, manually inspect systems, and pull additional targeted files after initial infection.

Impact

The Armored Likho group's activities have a severe impact on targeted government and energy organizations in Russia, Kazakhstan, and Brazil. Successful compromises lead to the exfiltration of credentials, sensitive documents, and other high-value data, enabling long-term espionage and unauthorized access to critical infrastructure. The BusySnake Stealer comprehensively collects clipboard data, browser cookies, Telegram session tokens, screenshots, two-factor authentication secrets, and cryptocurrency wallet information. The establishment of reverse SSH tunnels grants attackers persistent remote access, allowing for ongoing surveillance, data collection, and manual exfiltration, potentially disrupting operations or compromising national security.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious LNK execution and scheduled task creation.
  • Implement email security solutions capable of detecting and blocking spear-phishing attempts, particularly those with malicious archive attachments.
  • Monitor powershell.exe process creation and network connections for unusual activity, especially outbound connections to file hosting services like GitHub.
  • Enable Sysmon process-creation logging to capture schtasks.exe command lines and PowerShell activity for deeper forensic analysis.
  • Regularly educate users on identifying spear-phishing emails and reporting suspicious messages, emphasizing the dangers of opening unexpected attachments.

Detection coverage 2

BusySnake Stealer - LNK Executing Obfuscated PowerShell

high

Detects the execution of obfuscated PowerShell commands by explorer.exe or cmd.exe, a common delivery method for BusySnake Stealer via malicious LNK files.

sigma tactics: defense_evasion, execution techniques: T1027, T1059.001 sources: process_creation, windows

BusySnake Stealer - Scheduled Task Persistence (WindowsHelper)

high

Detects the creation of the 'WindowsHelper' scheduled task, used by BusySnake Stealer for persistence on compromised systems.

sigma tactics: persistence techniques: T1053.005 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →