Armored Likho, a previously undocumented APT group also linked by indirect indicators to Eagle Werewolf, has been running a spear-phishing campaign against government agencies and electric power organizations in Russia, Kazakhstan, and Brazil. The attackers deliver a newly identified Python-based infostealer, BusySnake Stealer, through archive attachments containing either NSIS-built executable droppers or malicious .lnk files, including samples that abuse ZDI-CAN-25373 to conceal command-line arguments. Researchers said the malware is heavily obfuscated with PyArmor and that some first-stage loaders appear to be AI-generated, complicating attribution while preserving the group’s broader tradecraft.
Once installed, BusySnake establishes persistence with VBScript and scheduled tasks, then steals browser passwords, cookies, clipboard contents, screenshots, documents, Telegram session data, OTP secrets, and cryptocurrency wallet files. The malware also supports reverse SSH tunneling and remote control, downloads Python runtimes and dependencies, and in newer variants fetches and executes Python payloads directly in memory while tracking task status through an updated C2 framework. Reported infrastructure includes 159.198.41[.]140 and grked[.]online, and researchers noted architectural overlap with AquilaRAT and functional similarities to Go2Tunnel, reinforcing the attribution to Armored Likho.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Securelist reported an active spear-phishing campaign attributed with medium confidence to the previously undocumented APT group Armored Likho, also referred to as Eagle Werewolf. The campaign targets government organizations and the electric power sector in Russia, Kazakhstan, and Brazil and delivers the newly identified Python-based BusySnake Stealer via malicious archive attachments.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcesecurelist.com
Open sourcesecurelist.ru
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.