Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
Armored Likho is a previously undocumented threat actor targeting government and power sectors in Russia, Brazil, and Kazakhstan, blending financial motives with cyber espionage. The group utilizes BusySnake Stealer, a Python-based infostealer that employs dynamic bytecode decryption and evasion techniques to bypass static analysis. Attack vectors include spear-phishing emails with malicious RAR archives and exploitation of CVE-2025-9491 (Windows shortcut vulnerability) for remote code execution
Analysis
TL;DR
- Armored Likho is a previously undocumented threat actor targeting government and power sectors in Russia, Brazil, and Kazakhstan, blending financial motives with cyber espionage.
- The group utilizes BusySnake Stealer, a Python-based infostealer that employs dynamic bytecode decryption and evasion techniques to bypass static analysis.
- Attack vectors include spear-phishing emails with malicious RAR archives and exploitation of CVE-2025-9491 (Windows shortcut vulnerability) for remote code execution.
- BusySnake features extensive capabilities including credential theft, screenshot capture, clipboard monitoring, and integration with Go2Tunnel for reverse SSH tunnels.
- Potential links to the Eagle Werewolf cluster suggest shared infrastructure, tactics, and a focus on high-value targets like UAV manufacturers and defense organizations.
Why It Matters
This incident highlights the increasing sophistication of hybrid threat actors who combine financially motivated operations with targeted state-level espionage, necessitating enhanced detection strategies for both personal and organizational assets. The use of novel evasion techniques in Python-based malware like BusySnake underscores the need for behavioral analysis over signature-based detection, particularly for infostealers designed to bypass dynamic sandboxes. Furthermore, the exploitation of legacy vulnerabilities like CVE-2025-9491 demonstrates that even patched flaws remain critical entry points for advanced persistent threats targeting critical infrastructure.
Technical Details
- Malware Architecture: BusySnake Stealer is a Python-based tool (PYW extension) that runs without a console window. It uses dynamic decryption of bytecode only when functions are called, re-encrypting immediately after to hinder static analysis.
- Persistence and Evasion: The malware establishes persistence via VBScript files and scheduled tasks. It prevents concurrent instances and cleans up artifacts like screenshot archives. A newer version includes a task-management framework for C2 command status reporting (SCHEDULED, IN_PROGRESS, etc.).
- Data Exfiltration Capabilities: Functions include stealing clipboard data, enumerating file metadata, uploading documents, capturing screenshots, logging keystrokes, and extracting cookies/passwords from Firefox and Chromium browsers. It also targets cryptocurrency wallets and Telegram sessions.
- Network and Remote Access: Utilizes Go2Tunnel for reverse SSH tunnels to C2 servers. Can install RustDesk to hijack remote desktop sessions, capturing credentials via screenshots if the victim is prompted to log in.
- Initial Access Vectors: Primary method is spear-phishing with lures related to government notices, delivering EXE droppers from GitHub repositories. Secondary method exploits CVE-2025-9491 via malicious LNK files to execute obfuscated PowerShell commands leading to the stealer.
Industry Insight
Security teams should prioritize monitoring for unusual PowerShell executions and VBScript activity, especially in conjunction with scheduled task modifications, as these are key indicators of BusySnake’s persistence mechanisms. Organizations must ensure strict patch management for Windows shortcut vulnerabilities and implement application whitelisting to prevent unauthorized execution of downloaded payloads from sources like GitHub. Additionally, behavioral detection models should be tuned to identify the unique dynamic decryption patterns and C2 communication structures associated with modern Python-based infostealers.
Disclaimer: The above content is generated by AI and is for reference only.