Researchers from Kaspersky have identified a newly discovered advanced persistent threat (APT) group named Armored Likho. This group is conducting targeted campaigns against government entities and the electric power industry, with observed activity in Russia, Brazil, and Kazakhstan. Armored Likho's operations are a hybrid of cyber-espionage and financially motivated attacks. The group employs a custom toolkit that includes a new Python-based information stealer called BusySnake Stealer, as well as other modular RATs and tools. There is evidence suggesting the use of AI in generating some of their payloads, and a potential operational overlap with another threat cluster known as "Eagle Werewolf."
Armored Likho represents a sophisticated and evolving threat. Their campaigns are characterized by targeted social engineering and the use of custom malware designed for stealth and persistence.
T1566.001 - Spearphishing Attachment).T1105 - Ingress Tool Transfer).Go2Tunnel for creating covert SSH tunnels for C2 communications.Armored Likho's TTPs demonstrate a focus on evasion and data theft.
T1027 - Obfuscated Files or Information and T1140 - Deobfuscate/Decode Files or Information. The use of AI to generate code could be a method to create unique, non-signatured payloads for each target.T1113 - Screen Capture, T1005 - Data from Local System, and T1115 - Clipboard Data.Go2Tunnel for SSH tunneling is an example of T1572 - Protocol Tunneling to hide C2 traffic within an encrypted channel.T1547.001 - Registry Run Keys / Startup Folder.The targeting of government and energy sectors by a sophisticated APT group like Armored Likho poses a significant national security risk. A successful compromise could lead to:
No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were mentioned in the source articles.
Security teams should hunt for signs of stealthy Python malware and unusual data exfiltration. The following patterns could indicate related activity:
python.exe or pythonw.exeGo2Tunnel) being established from within the network to external destinations.raw.githubusercontent.com*.pyc files in temporary directoriesTraining employees to recognize and report spear-phishing attempts is the first line of defense against this group's initial access vector.
Filtering egress traffic to block connections to unauthorized domains like GitHub from non-developer machines can disrupt payload delivery.
Using application control to prevent the execution of untrusted Python scripts can mitigate the malware.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.