Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Armored Likho's new weapon: BusySnake Stealer

0
Medium
Published: 07/03/2026 (07/03/2026, 12:13:50 UTC)
Source: AlienVault OTX General

Description

Kaspersky uncovered a sophisticated phishing campaign by the APT group Armored Likho, deploying a previously undocumented Python-based infostealer dubbed BusySnake Stealer. The campaign targets government agencies and electric power sectors across Russia, Brazil, and Kazakhstan through spear-phishing emails containing malicious EXE or LNK attachments. BusySnake Stealer features advanced obfuscation using PyArmor Pro, extracts credentials from browsers using DPAPI and NSS libraries, captures screenshots, logs keystrokes, scrapes cryptocurrency wallets and 2FA tokens, and establishes reverse SSH tunnels for remote access. The threat actor leverages AI-generated code for first-stage payloads and distributes components via GitHub repositories. The stealer maintains persistence through scheduled tasks and communicates with C2 infrastructure to receive commands dynamically, representing a significant evolution in the group's technical capabilities.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:36:25 UTC

Technical Analysis

The Armored Likho APT group has deployed BusySnake Stealer, a previously undocumented Python-based infostealer, in targeted spear-phishing campaigns against government and electric power sectors in Russia, Brazil, and Kazakhstan. The malware is delivered via malicious EXE or LNK attachments and employs PyArmor Pro for obfuscation. BusySnake Stealer extracts credentials from browsers using DPAPI and NSS libraries, captures screenshots, logs keystrokes, scrapes cryptocurrency wallets and 2FA tokens, and establishes reverse SSH tunnels for persistent remote access. The threat actor uses AI-generated code for initial payloads and distributes components through GitHub repositories. Persistence is achieved via scheduled tasks, and the malware communicates with C2 servers to receive commands dynamically. This tool reflects a significant evolution in Armored Likho's operational sophistication.

Potential Impact

The malware enables credential theft from browsers, capture of sensitive user input via keystroke logging, screenshot capture, and theft of cryptocurrency wallets and two-factor authentication tokens. It also establishes persistent remote access through reverse SSH tunnels, allowing the threat actor to maintain control and execute further commands. The targeting of government and electric power sectors in multiple countries indicates potential risks to critical infrastructure confidentiality and operational security.

Mitigation Recommendations

No official patch or remediation is available for this malware. Organizations in the targeted sectors should enhance email security to detect and block spear-phishing attempts with malicious attachments. Endpoint detection and response solutions should be tuned to identify behaviors associated with BusySnake Stealer, such as PyArmor obfuscation, scheduled task persistence, and reverse SSH tunnel activity. Network monitoring for unusual outbound connections to C2 infrastructure is recommended. Users should be trained to recognize spear-phishing emails. Since this is a malware campaign rather than a software vulnerability, traditional patching does not apply.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/"]
Adversary
Armored Likho
Pulse Id
6a47a77e01d1e457798b3a33
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainlvl99.store
domainarvax.xyz
domaingrked.online
domainndrt.ink
domainonetoken.ink
domainvarenie.live
domainwinupdate.ink
domainwinupdate.live
domainmyboard.chickenkiller.com
domainmyboard.twilightparadox.com

Hash

ValueDescriptionCopy
hash8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79
hash393b498f2114cabc0b29d5fcd9dc6723
hasha0b80c0ec77f62b0ed46edb3fef05ccb88c74afb
hash0041fd1b2358cd08dbcbc28ea8fc3d20
hash006887732ca4a4a46a97989cf4deeef6
hash07213c419489c02791e8d67b91e404ef
hash1096268fa2b3d454c86cf851cb782319
hash1dba3e505491a260a44c867902c3296e
hash2dfa1d949872c1b2f04952dd3e5f5d8f
hash5d5c3e483c5e544260ce98fc29fbf192
hash6b45ddb39a6e86229348dcbba3857e7c
hash7141917cba2eee2b4d31107faccf3a39
hash732c31acf971a81c7e51b2a3dae82020
hash78135f72ab148a0cc074f6b2dd51fff6
hash7db9c688c620e54e8c69b7e52a7579fb
hash80b7700053e115d65365ce7330383320
hash8188b2f347b77d65d08cfb23808ac244
hash894332174f536c2e1efeda05cba79f8b
hash90378881856abfa47d7745c0a3ef9dc8
hasha0ec7a8e61eff3f445a7455b3aef9fbb
hashc019797a00fd56edb1f468ac0a598510
hashc7622a1effa27bbfee6d6e03d6474343
hashcf74ac018d158ea2c2cfa1b1d71d95bc
hashddff82a115558584bbd7741d4ffb35b4
hashe2550cfad9dcc880bf04f6048f90868c
hashf2ab09d7e7a375a192508a5014aa2ee4
hashf5c6434ee5f7578faa3bc1257e1c9226
hashfd2bdd8047addee6fde2f532de181bfd
hash2654dfefff26ad290037230bf2dc7353411d0cc8
hash8436fba39929e8da81fc78b2bc7eb74da6b9578a
hash00ccbf72b8a0f0314d829766775889bbe9c964ce7b499ff26ba12fb62cadf906
hash3ec02d6bed160a97edea549ec88c46f10105f6cdf6a4b3f356b2fc6a4a14f386

Ip

ValueDescriptionCopy
ip159.198.41.140
ip159.198.32.222
ip159.198.75.219
ip69.67.173.153

Threat ID: 6a4b739727e9c7971932e002

Added to database: 07/06/2026, 09:21:27 UTC

Last enriched: 07/06/2026, 09:36:25 UTC

Last updated: 07/06/2026, 20:52:53 UTC

Views: 16

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses