GBHackers

Armored Likho APT Deploys BusySnake Stealer Against Government and Power Sector Targets


A focused phishing campaign operated by a previously unreported APT we’ve named Armored Likho (also tracked under the provisional alias Eagle Werewolf).

The group is targeting government agencies and the electric power sector across Russia, Brazil and Kazakhstan, and demonstrates an evolving toolkit that blends commodity and bespoke tooling to support both financially motivated operations and targeted cyber-espionage.

Initial access is achieved primarily through socially engineered spear-phishing emails carrying archive attachments. Two main delivery patterns recur: NSIS-built EXE droppers and malicious LNK shortcuts exploiting the way Windows handles .lnk parameters.

The EXE variant commonly presents a decoy (for example a faux psychological survey) while extracting and executing a hidden loader.

That loader injects code into a benign process and retrieves staged payload packages from GitHub repositories under automated, rapidly rotating paths. Repositories contain development builds and test samples, enabling the actor to iterate payloads and shift infrastructure quickly.

Alternate campaigns use crafted LNK files that conceal execution parameters (see public coverage of the ZDI-CAN-25373 LNK-related disclosure).

Securelist said in a report shared with GBhackers, the campaign is a newly observed Python-based infostealer, BusySnake Stealer, accompanied by modular RAT capabilities, network tunneling utilities (notably Go2Tunnel), and AI-assisted first-stage payload generation that complicates attribution and detection.

In one attack variant, the archive contains a dropper named psihologicheskiy_test.exe, which is a self-extracting archive built using the Nullsoft Scriptable Install System (NSIS).

BusySnake Stealer Malware

Executing the shortcut triggers an obfuscated PowerShell chain that downloads and runs the same loader family, which in turn fetches a packaged Python 3.12 runtime, a PyArmor-protected payload archive, and get-pip.py to install dependencies.

Payload repository example (Source : Securelist).

Both vectors converge on the BusySnake Stealer, which the group deploys persistently via VBScript and scheduled tasks configured to run every five minutes.

The stealer maintains an active connection with the C2 server to await incoming instructions during execution. The poll_task function polls the C2 server in a continuous loop for new commands.

BusySnake Stealer is engineered for stealth and operational flexibility. Protected with PyArmor Pro 9.2.0, its bytecode is dynamically decrypted only at call time and re-encrypted after use, and the main payload runs as a .pyw to avoid console windows.

Analysis of stripped samples reveals a handler-based architecture: single-instance locking using a custom lock-file algorithm; continuous clipboard harvesting.

C2 administration panel sign-in form (Source : Securelist).
C2 administration panel sign-in form (Source : Securelist).

Recursive inventorying of user files into a local SQLite database while scanning for 64-character hex keys; selective exfiltration of documents under size and path filters; screenshot capture and archival; and a persistent C2 polling loop.

The stealer’s command and control exchange uses simple HTTP GET requests with a browser-like User-Agent and instructs compromised hosts by sending function names.

Available remote commands encompass full credential and cookie theft from Chromium and Firefox stores (including DPAPI/PK11 decryption routines), installation of a browser extension to extract cookies, OTP/key scraping via clipboard monitoring and file parsing, Telegram session exfiltration, selective wallet file harvesting, and remote-control facilitation.

The actor also supports on-demand reverse SSH tunneling and remote session capture by manipulating RustDesk installations to harvest re-entered credentials.

Operationally notable is the group’s adoption of AI to generate first-stage loaders and verbose, emoji-laden comments within loader source code anomalies consistent with LLM-assisted development.

This, combined with polymorphism (multiple BusySnake builds and cookie-focused modules), the use of public code hosting for rapid payload distribution, and layered obfuscation, marks a clear step in technical maturity and evasion sophistication.

Defenders should prioritize email gateway hardening, strict macro and LNK handling policies, endpoint detection for staged Python runtimes and PyArmor artifacts, and monitoring for scheduled tasks and unusual GitHub fetch patterns.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link