Armored Likho: New APT Group Targets Global Energy and Government Sectors with BusySnake Stealer

New APT 'Armored Likho' Deploys 'BusySnake' Stealer Against Energy & Government

HIGH
July 4, 2026
5m read
Threat ActorMalwareIndustrial Control Systems

Related Entities

Threat Actors

Armored LikhoEagle Werewolf

Organizations

Kaspersky BI.ZONE

Other

BusySnake StealerGitHub Go2Tunnel

Full Report

Executive Summary

Researchers from Kaspersky have identified a newly discovered advanced persistent threat (APT) group named Armored Likho. This group is conducting targeted campaigns against government entities and the electric power industry, with observed activity in Russia, Brazil, and Kazakhstan. Armored Likho's operations are a hybrid of cyber-espionage and financially motivated attacks. The group employs a custom toolkit that includes a new Python-based information stealer called BusySnake Stealer, as well as other modular RATs and tools. There is evidence suggesting the use of AI in generating some of their payloads, and a potential operational overlap with another threat cluster known as "Eagle Werewolf."

Threat Overview

Armored Likho represents a sophisticated and evolving threat. Their campaigns are characterized by targeted social engineering and the use of custom malware designed for stealth and persistence.

  • Initial Access: The primary vector is spear-phishing emails tailored to their targets, often disguised as official government notices. These emails contain malicious RAR archives with droppers. (T1566.001 - Spearphishing Attachment).
  • Payload Delivery: The initial droppers retrieve second-stage payloads from public GitHub repositories, a common technique to blend in with legitimate developer traffic (T1105 - Ingress Tool Transfer).
  • Malware Arsenal: The group's main tool is the BusySnake Stealer, a modular Python-based infostealer. It is capable of establishing persistence, exfiltrating user documents, capturing screenshots, and stealing data from the system clipboard and browser cookies. They also utilize tools like Go2Tunnel for creating covert SSH tunnels for C2 communications.
  • Targets: The group has a clear focus on high-value targets, including government agencies and the electric power sector, indicating espionage as a primary motive. Other targets include defense organizations involved in UAV manufacturing.

Technical Analysis

Armored Likho's TTPs demonstrate a focus on evasion and data theft.

Impact Assessment

The targeting of government and energy sectors by a sophisticated APT group like Armored Likho poses a significant national security risk. A successful compromise could lead to:

  • Espionage: Theft of sensitive government documents, state secrets, or intellectual property related to defense and energy infrastructure.
  • Infrastructure Disruption: In the energy sector, a compromise could move from data theft to operational disruption, potentially impacting the power grid.
  • Financial Loss: The financially motivated component of their attacks could lead to direct theft or extortion. The group's continuous development of its toolkit and potential use of AI suggests they are a persistent and adaptable adversary capable of causing significant damage.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams should hunt for signs of stealthy Python malware and unusual data exfiltration. The following patterns could indicate related activity:

Type
Process Name
Value
python.exe or pythonw.exe
Description
Look for Python processes running from unusual locations or with obfuscated script arguments, especially if spawned by an email client or browser.
Type
Network Traffic Pattern
Value
Outbound SSH traffic to non-standard ports or unknown IPs
Description
Monitor for SSH tunnels (Go2Tunnel) being established from within the network to external destinations.
Type
DNS Query
Value
raw.githubusercontent.com
Description
While often legitimate, DNS queries to this domain from non-developer workstations could indicate a payload download attempt.
Type
File Path
Value
*.pyc files in temporary directories
Description
Hunt for compiled Python files being written to and executed from temporary user directories.

Detection & Response

  1. Script Block Logging: Enable and ingest PowerShell and Python script block logging. This provides visibility into the commands executed by malware like BusySnake, even if the script itself is obfuscated. This is a form of D3FEND's Process Analysis (D3-PA).
  2. Network Traffic Analysis: Decrypt and analyze network traffic where possible. Monitor for protocol tunneling (e.g., SSH over non-standard ports) and connections to known malicious or suspicious domains, including GitHub repositories used for C2. This aligns with Network Traffic Analysis (D3-NTA).
  3. Email Security: Use email security gateways with sandboxing capabilities to analyze attachments like RAR archives and detect malicious droppers before they reach the user.

Mitigation

  1. User Training: Train users to be suspicious of unsolicited emails, especially those with attachments that claim to be official notices. This is a key part of User Training (M1017).
  2. Application Control: Use application control policies to restrict the execution of scripting languages like Python from user-writable directories. This aligns with Executable Denylisting (D3-EDL).
  3. Egress Filtering: Block or restrict outbound traffic for protocols like SSH from general user workstations, allowing it only from authorized administrative jump boxes. This is a form of Outbound Traffic Filtering (D3-OTF).
  4. Endpoint Hardening: Harden endpoints by disabling unused services and enforcing the principle of least privilege to limit the impact of a successful compromise.

Timeline of Events

1
July 4, 2026
This article was published

MITRE ATT&CK Mitigations

Training employees to recognize and report spear-phishing attempts is the first line of defense against this group's initial access vector.

Filtering egress traffic to block connections to unauthorized domains like GitHub from non-developer machines can disrupt payload delivery.

Using application control to prevent the execution of untrusted Python scripts can mitigate the malware.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

Armored LikhoAPTBusySnakeKasperskyEspionageEnergy SectorGovernmentMalware

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.