Cybersecurity researchers at Kaspersky have named a previously undocumented threat actor behind an ongoing spear-phishing operation targeting government agencies and electric power organizations in Russia, Kazakhstan, and Brazil.
The group, which they call Armored Likho, is running an extensive malware toolkit built to steal credentials, sensitive documents, and other high-value data. The operation relies on a new Python-based infostealer that analysts call BusySnake, which steals credentials and sensitive files from compromised systems.
Motivation
Researchers believe that there are two motives for the group to run this campaign. One is financially motivated targeting private individuals, and the other is cyber-espionage aimed at organizations.
Kaspersky did not attribute the group to any specific nation, but noted that the campaign appears focused on credential harvesting and maintaining long-term access in government and critical infrastructure environments.
How The Attack Works
The attack chain starts with spear-phishing messages, with lure themes ranging from official government notices to humanitarian aid applications and psychological tests.
These emails contain malicious archive attachments that follow two main delivery patterns, including Nullsoft Scriptable Install System (NSIS)- built EXE droppers and malicious LNK shortcuts that abuse the way Windows handles .lnk parameters.
Once a victim extracts and opens the attachment, both delivery paths lead to BusySnake Stealer being installed on the device. In the EXE route, the NSIS dropper launches a legitimate process and injects malicious loader code into it.
In the LNK route, an obfuscated PowerShell command downloads and runs the loader. From there, the loader pulls the required Python components and the BusySnake payload from GitHub-hosted archives before setting up persistence.
Stealing the Data
Upon infection and taking control of a device, attackers immediately gain access to a vast amount of sensitive data. The malware actively logs clipboard contents, harvests browser cookies, pulls session tokens from Telegram, documents exfiltration, screenshot capture, scrapes two-factor authentication secrets, and searches for cryptocurrency wallets.
The attackers also built reverse SSH tunneling into BusySnake, giving them a way to maintain remote access, manually inspect compromised systems, and pull out targeted files after infection.
Using AI to Hide Tracks
According to the company’s blog post, tracking the origins of these loaders has proven difficult because the hackers utilize AI to generate their initial malicious payloads.
This automated approach changes the code structure enough to obscure the group’s normal habits and complicate attribution efforts.
Previous Attacks Linked to Armored Likho
Kaspersky says the campaign is linked to a newly named APT group it tracks as Armored Likho, also known as Eagle Werewolf, based on circumstantial evidence. Although the group is newly named in this report, researchers linked it to earlier activity involving AquilaRAT.
For context, AquilaRAT and BusySnake Stealer share a similar structure. Both use comparable C2 endpoints to report task execution and register scheduled tasks that pose as legitimate Microsoft utilities. AquilaRAT uses MicrosoftOfficeUpdate, while BusySnake Stealer uses WindowsHelper.
Kaspersky says the operation shows no sign of slowing down. At the time of writing, Armored Likho remains highly active, and despite the evolution of their malware variants and efforts to obfuscate their TTPs, Kaspersky continues to closely monitor the group’s footprint and detect new campaigns.

