Summary Points
-
The threat actor Armored Likho targets government and power sectors using sophisticated, obfuscated malware—including modular RATs and Python-based stealers—to maintain persistence, bypass analysis, and exfiltrate sensitive data.
-
Attacks begin with spear-phishing and exploit a patched Windows shortcut vulnerability (CVE-2025-9491) to trigger PowerShell loaders and deploy payloads like BusySnake Stealer, which can steal cookies, capture screenshots, and establish covert communication channels.
- The group employs advanced evasion techniques, AI-assisted malware development, and integrated tools like Go2Tunnel within malware to dynamically manage C2 commands, making detection and mitigation highly challenging.
Threat Overview, Attack Techniques, and Targets
Armored Likho is a cyber threat actor that targets government agencies and the power sector in Russia, Brazil, and Kazakhstan. The group conducts both financially motivated and espionage campaigns. They use obfuscated and modular Remote Access Trojans (RATs) and infostealers designed to bypass detection.
The attack begins with spear-phishing emails. These emails often contain fake government notices or social program alerts. They include RAR archives with executable files acting as droppers. These droppers retrieve additional payloads from GitHub, including the BusySnake Stealer. Sometimes, the malware uses Windows shortcuts (LNK files) exploiting a known vulnerability patched by Microsoft in November 2025 (CVE-2025-9491).
Once inside a system, the group employs tools like Go2Tunnel for remote access. They also use hidden scripts to erase traces, launch payloads, and establish persistence. The threat actor infects systems with private Python-based malware called BusySnake. This malware is specifically built to avoid static analysis and detection. It communicates with a command-and-control (C2) server to carry out various malicious activities.
Impact, Security Implications, and Remediation Guidance
The BusySnake Stealer can steal cookies, capture screenshots, log keystrokes, and gather credentials from browsers. It can also upload sensitive data to its C2 server, establish SSH tunnels, and install remote desktop software like RustDesk. The malware can adapt by updating its commands and handling multiple tasks simultaneously. It supports persistent infection via scheduled tasks and can run covertly in the background.
The use of spear-phishing and sophisticated malware increases the risk of data leaks and system compromise. The malware’s ability to avoid detection makes it hard for typical security measures to identify and block the attack.
Given the complexity of these threats, organizations should consult their security vendors or cybersecurity authorities for specific remediation guidance. Proper patching, user awareness, and endpoint security are essential. It is also recommended to restrict the use of untrusted email attachments and monitor network traffic for suspicious activity.
Expand Your Tech Knowledge
Learn how the Internet of Things (IoT) is transforming everyday life.
Stay inspired by the vast knowledge available on Wikipedia.
ThreatIntel-V1
