Armored Likho's new weapon: BusySnake Stealer
Kaspersky uncovered a sophisticated phishing campaign by the APT group Armored Likho, deploying a previously undocumented Python-based infostealer dubbed BusySnake Stealer. The campaign targets government agencies and electric power sectors across Russia, Brazil, and Kazakhstan through spear-phishing emails containing malicious EXE or LNK attachments. BusySnake Stealer features advanced obfuscation using PyArmor Pro, extracts credentials from browsers using DPAPI and NSS libraries, captures screenshots, logs keystrokes, scrapes cryptocurrency wallets and 2FA tokens, and establishes reverse SSH tunnels for remote access. The threat actor leverages AI-generated code for first-stage payloads and distributes components via GitHub repositories. The stealer maintains persistence through scheduled tasks and communicates with C2 infrastructure to receive commands dynamically, representing a significant evolution in the group's technical capabilities.
AI Analysis
Technical Summary
The Armored Likho APT group has deployed BusySnake Stealer, a previously undocumented Python-based infostealer, in targeted spear-phishing campaigns against government and electric power sectors in Russia, Brazil, and Kazakhstan. The malware is delivered via malicious EXE or LNK attachments and employs PyArmor Pro for obfuscation. BusySnake Stealer extracts credentials from browsers using DPAPI and NSS libraries, captures screenshots, logs keystrokes, scrapes cryptocurrency wallets and 2FA tokens, and establishes reverse SSH tunnels for persistent remote access. The threat actor uses AI-generated code for initial payloads and distributes components through GitHub repositories. Persistence is achieved via scheduled tasks, and the malware communicates with C2 servers to receive commands dynamically. This tool reflects a significant evolution in Armored Likho's operational sophistication.
Potential Impact
The malware enables credential theft from browsers, capture of sensitive user input via keystroke logging, screenshot capture, and theft of cryptocurrency wallets and two-factor authentication tokens. It also establishes persistent remote access through reverse SSH tunnels, allowing the threat actor to maintain control and execute further commands. The targeting of government and electric power sectors in multiple countries indicates potential risks to critical infrastructure confidentiality and operational security.
Mitigation Recommendations
No official patch or remediation is available for this malware. Organizations in the targeted sectors should enhance email security to detect and block spear-phishing attempts with malicious attachments. Endpoint detection and response solutions should be tuned to identify behaviors associated with BusySnake Stealer, such as PyArmor obfuscation, scheduled task persistence, and reverse SSH tunnel activity. Network monitoring for unusual outbound connections to C2 infrastructure is recommended. Users should be trained to recognize spear-phishing emails. Since this is a malware campaign rather than a software vulnerability, traditional patching does not apply.
Affected Countries
Russia, Brazil, Kazakhstan
Indicators of Compromise
- domain: lvl99.store
- hash: 8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79
- ip: 159.198.41.140
- hash: 393b498f2114cabc0b29d5fcd9dc6723
- hash: a0b80c0ec77f62b0ed46edb3fef05ccb88c74afb
- hash: 0041fd1b2358cd08dbcbc28ea8fc3d20
- hash: 006887732ca4a4a46a97989cf4deeef6
- hash: 07213c419489c02791e8d67b91e404ef
- hash: 1096268fa2b3d454c86cf851cb782319
- hash: 1dba3e505491a260a44c867902c3296e
- hash: 2dfa1d949872c1b2f04952dd3e5f5d8f
- hash: 5d5c3e483c5e544260ce98fc29fbf192
- hash: 6b45ddb39a6e86229348dcbba3857e7c
- hash: 7141917cba2eee2b4d31107faccf3a39
- hash: 732c31acf971a81c7e51b2a3dae82020
- hash: 78135f72ab148a0cc074f6b2dd51fff6
- hash: 7db9c688c620e54e8c69b7e52a7579fb
- hash: 80b7700053e115d65365ce7330383320
- hash: 8188b2f347b77d65d08cfb23808ac244
- hash: 894332174f536c2e1efeda05cba79f8b
- hash: 90378881856abfa47d7745c0a3ef9dc8
- hash: a0ec7a8e61eff3f445a7455b3aef9fbb
- hash: c019797a00fd56edb1f468ac0a598510
- hash: c7622a1effa27bbfee6d6e03d6474343
- hash: cf74ac018d158ea2c2cfa1b1d71d95bc
- hash: ddff82a115558584bbd7741d4ffb35b4
- hash: e2550cfad9dcc880bf04f6048f90868c
- hash: f2ab09d7e7a375a192508a5014aa2ee4
- hash: f5c6434ee5f7578faa3bc1257e1c9226
- hash: fd2bdd8047addee6fde2f532de181bfd
- hash: 2654dfefff26ad290037230bf2dc7353411d0cc8
- hash: 8436fba39929e8da81fc78b2bc7eb74da6b9578a
- hash: 00ccbf72b8a0f0314d829766775889bbe9c964ce7b499ff26ba12fb62cadf906
- hash: 3ec02d6bed160a97edea549ec88c46f10105f6cdf6a4b3f356b2fc6a4a14f386
- ip: 159.198.32.222
- ip: 159.198.75.219
- ip: 69.67.173.153
- domain: arvax.xyz
- domain: grked.online
- domain: ndrt.ink
- domain: onetoken.ink
- domain: varenie.live
- domain: winupdate.ink
- domain: winupdate.live
- domain: myboard.chickenkiller.com
- domain: myboard.twilightparadox.com
Armored Likho's new weapon: BusySnake Stealer
Description
Kaspersky uncovered a sophisticated phishing campaign by the APT group Armored Likho, deploying a previously undocumented Python-based infostealer dubbed BusySnake Stealer. The campaign targets government agencies and electric power sectors across Russia, Brazil, and Kazakhstan through spear-phishing emails containing malicious EXE or LNK attachments. BusySnake Stealer features advanced obfuscation using PyArmor Pro, extracts credentials from browsers using DPAPI and NSS libraries, captures screenshots, logs keystrokes, scrapes cryptocurrency wallets and 2FA tokens, and establishes reverse SSH tunnels for remote access. The threat actor leverages AI-generated code for first-stage payloads and distributes components via GitHub repositories. The stealer maintains persistence through scheduled tasks and communicates with C2 infrastructure to receive commands dynamically, representing a significant evolution in the group's technical capabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Armored Likho APT group has deployed BusySnake Stealer, a previously undocumented Python-based infostealer, in targeted spear-phishing campaigns against government and electric power sectors in Russia, Brazil, and Kazakhstan. The malware is delivered via malicious EXE or LNK attachments and employs PyArmor Pro for obfuscation. BusySnake Stealer extracts credentials from browsers using DPAPI and NSS libraries, captures screenshots, logs keystrokes, scrapes cryptocurrency wallets and 2FA tokens, and establishes reverse SSH tunnels for persistent remote access. The threat actor uses AI-generated code for initial payloads and distributes components through GitHub repositories. Persistence is achieved via scheduled tasks, and the malware communicates with C2 servers to receive commands dynamically. This tool reflects a significant evolution in Armored Likho's operational sophistication.
Potential Impact
The malware enables credential theft from browsers, capture of sensitive user input via keystroke logging, screenshot capture, and theft of cryptocurrency wallets and two-factor authentication tokens. It also establishes persistent remote access through reverse SSH tunnels, allowing the threat actor to maintain control and execute further commands. The targeting of government and electric power sectors in multiple countries indicates potential risks to critical infrastructure confidentiality and operational security.
Mitigation Recommendations
No official patch or remediation is available for this malware. Organizations in the targeted sectors should enhance email security to detect and block spear-phishing attempts with malicious attachments. Endpoint detection and response solutions should be tuned to identify behaviors associated with BusySnake Stealer, such as PyArmor obfuscation, scheduled task persistence, and reverse SSH tunnel activity. Network monitoring for unusual outbound connections to C2 infrastructure is recommended. Users should be trained to recognize spear-phishing emails. Since this is a malware campaign rather than a software vulnerability, traditional patching does not apply.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/"]
- Adversary
- Armored Likho
- Pulse Id
- 6a47a77e01d1e457798b3a33
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainlvl99.store | — | |
domainarvax.xyz | — | |
domaingrked.online | — | |
domainndrt.ink | — | |
domainonetoken.ink | — | |
domainvarenie.live | — | |
domainwinupdate.ink | — | |
domainwinupdate.live | — | |
domainmyboard.chickenkiller.com | — | |
domainmyboard.twilightparadox.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79 | — | |
hash393b498f2114cabc0b29d5fcd9dc6723 | — | |
hasha0b80c0ec77f62b0ed46edb3fef05ccb88c74afb | — | |
hash0041fd1b2358cd08dbcbc28ea8fc3d20 | — | |
hash006887732ca4a4a46a97989cf4deeef6 | — | |
hash07213c419489c02791e8d67b91e404ef | — | |
hash1096268fa2b3d454c86cf851cb782319 | — | |
hash1dba3e505491a260a44c867902c3296e | — | |
hash2dfa1d949872c1b2f04952dd3e5f5d8f | — | |
hash5d5c3e483c5e544260ce98fc29fbf192 | — | |
hash6b45ddb39a6e86229348dcbba3857e7c | — | |
hash7141917cba2eee2b4d31107faccf3a39 | — | |
hash732c31acf971a81c7e51b2a3dae82020 | — | |
hash78135f72ab148a0cc074f6b2dd51fff6 | — | |
hash7db9c688c620e54e8c69b7e52a7579fb | — | |
hash80b7700053e115d65365ce7330383320 | — | |
hash8188b2f347b77d65d08cfb23808ac244 | — | |
hash894332174f536c2e1efeda05cba79f8b | — | |
hash90378881856abfa47d7745c0a3ef9dc8 | — | |
hasha0ec7a8e61eff3f445a7455b3aef9fbb | — | |
hashc019797a00fd56edb1f468ac0a598510 | — | |
hashc7622a1effa27bbfee6d6e03d6474343 | — | |
hashcf74ac018d158ea2c2cfa1b1d71d95bc | — | |
hashddff82a115558584bbd7741d4ffb35b4 | — | |
hashe2550cfad9dcc880bf04f6048f90868c | — | |
hashf2ab09d7e7a375a192508a5014aa2ee4 | — | |
hashf5c6434ee5f7578faa3bc1257e1c9226 | — | |
hashfd2bdd8047addee6fde2f532de181bfd | — | |
hash2654dfefff26ad290037230bf2dc7353411d0cc8 | — | |
hash8436fba39929e8da81fc78b2bc7eb74da6b9578a | — | |
hash00ccbf72b8a0f0314d829766775889bbe9c964ce7b499ff26ba12fb62cadf906 | — | |
hash3ec02d6bed160a97edea549ec88c46f10105f6cdf6a4b3f356b2fc6a4a14f386 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip159.198.41.140 | — | |
ip159.198.32.222 | — | |
ip159.198.75.219 | — | |
ip69.67.173.153 | — |
Threat ID: 6a4b739727e9c7971932e002
Added to database: 07/06/2026, 09:21:27 UTC
Last enriched: 07/06/2026, 09:36:25 UTC
Last updated: 07/06/2026, 20:52:53 UTC
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.