Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Armored Likho APT Targeting Government, Electric Power Entities

0
Medium
Vulnerability
Published: 07/06/2026 (07/06/2026, 15:10:39 UTC)
Source: SecurityWeek

Description

Armored Likho is an advanced persistent threat (APT) actor targeting government and electric power organizations in multiple countries, including Russia, Brazil, and Kazakhstan. The group conducts both financially motivated attacks and cyber espionage using modular remote access trojans (RATs) and information stealers, notably the Python-based BusySnake Stealer. Initial access is primarily gained through spear-phishing emails containing malicious executables or LNK files that deploy malware stealthily. The malware suite enables credential theft, screenshot capture, keylogging, browser data exfiltration, and persistent remote access via reverse SSH tunnels. Armored Likho’s tools dynamically deploy modules tailored to specific victims and tasks, maintaining stealthy control over compromised systems. The group’s activity overlaps with other known APTs, such as Eagle Werewolf, sharing similar malware structures and persistence mechanisms.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 15:21:39 UTC

Technical Analysis

Armored Likho is a recently discovered APT actor that targets government and electric power sectors in Russia, Brazil, and Kazakhstan. It uses spear-phishing to deliver modular malware, including RATs and information stealers like the Python-based BusySnake Stealer. This malware performs a wide range of functions, such as credential harvesting from browsers and Telegram, clipboard theft, screenshot capture, and establishing reverse SSH tunnels for persistent access. The malware dynamically decrypts and encrypts its bytecode to evade detection and runs stealthily without a console window. Armored Likho’s operations include both financially motivated attacks and cyber espionage. The group’s toolkit and tactics show overlap with the Eagle Werewolf APT, which used similar RATs. The threat actor fetches malware components from GitHub repositories, including early development builds, indicating ongoing tool evolution.

Potential Impact

The threat actor can maintain stealthy, persistent control over compromised hosts, enabling exfiltration of sensitive credentials, browser data, OTP keys, cryptocurrency wallets, and Telegram sessions. This access facilitates espionage against targeted organizations and financially motivated theft from individuals. The malware’s capabilities to capture screenshots, log keystrokes, and execute commands remotely increase the risk of data breaches and operational disruption in critical sectors such as government and electric power. The use of modular malware allows tailored attacks, increasing the effectiveness and stealth of the campaigns.

Mitigation Recommendations

No official patch or remediation is applicable as this is a threat actor’s campaign rather than a software vulnerability. Organizations should focus on user awareness to reduce spear-phishing success, implement email filtering to block malicious attachments, and employ endpoint detection and response (EDR) solutions capable of detecting modular RATs and information stealers. Monitoring for unusual network activity, such as reverse SSH tunnels or connections to suspicious GitHub repositories, may help identify compromises. Since the threat actor uses evolving malware, continuous threat intelligence updates and behavioral detection are recommended.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/armored-likho-apt-targeting-government-electric-power-entities/","fetched":true,"fetchedAt":"2026-07-06T15:21:26.173Z","wordCount":1111}

Threat ID: 6a4bc7f627e9c79719bbf011

Added to database: 07/06/2026, 15:21:26 UTC

Last enriched: 07/06/2026, 15:21:39 UTC

Last updated: 07/06/2026, 15:21:39 UTC

Views: 1

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses