Close Menu
    What's Hot

    Google DeepMind Unionization Talks Are Off to a Rocky Start

    The best and worst times to drive this July 4 weekend are here—and millions will get it wrong

    Trump Intercedes to Push Robert Smullen Out of N.Y. House Race

    Facebook X (Twitter) Instagram
    Trending
    • Google DeepMind Unionization Talks Are Off to a Rocky Start
    • The best and worst times to drive this July 4 weekend are here—and millions will get it wrong
    • Trump Intercedes to Push Robert Smullen Out of N.Y. House Race
    • All Your Favorite Gadgets Are Getting Way More Expensive … Again
    • What wealth meant to Americans in 1776
    • Nordson Corporation: AI Semiconductor Strength Drives Financial Results (NASDAQ:NDSN)
    • Sunderland transfer news: Granit Xhaka staying at Stadium of Light after Chelsea bid for Black Cats captain rejected | Football News
    • Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

    adminBy adminJuly 3, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

    A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan.

    “Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations,” Kaspersky said in a technical analysis published today. “Their toolkit features obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis.”

    The attacks are also characterized by the use of tools like Go2Tunnel for remote access and network tunneling. The wide variety of tools in its arsenal allows the threat actor to maintain persistent access to compromised hosts, steal credentials and sensitive data, and dynamically deliver modules tailored to the victim’s profile.

    The Russian cybersecurity vendor said Armored Likho shares possible overlaps with a threat cluster tracked by BI.ZONE under the moniker Eagle Werewolf, which has been active since May 2023. The hacking group has a track record of targeting government and defense organizations, specifically those involved in UAV development and manufacturing, using droppers, remote access trojans (RATs), and utilities for establishing SSH tunnels.

    “Threat actors may use compromised Telegram channels to distribute the malware,” BI.ZONE notes in its description of the threat actor. “While the group’s primary motivation is cyber espionage, campaigns aimed at stealing funds from victims have also been recorded.”

    Back in February 2026, Eagle Werewolf was observed compromising a drone‑focused Telegram channel to distribute AquilaRAT via a Rust dropper that masquerades as a checklist for Starlink device activation. Also put to use in its attacks is a tool referred to as Go2Tunnel to establish a reverse SSH tunnel to a command-and-control (C2) server using a private key.

    Cybersecurity

    The latest findings show that the threat actor has also employed a previously unreported Python-based information stealer named BusySnake Stealer targeting Windows systems, one version of which includes a module for stealing cookies from web browsers. The exact origins of Armored Likho remain unknown.

    The starting point of the attack chain is a spear-phishing email that uses lures related to official government notices or social programs to distribute a RAR archive containing EXE binaries that serve as droppers for additional payloads retrieved from a GitHub repository, including the stealer payload.

    The dropper malware also creates two Visual Basic Script (VBScript) files that are responsible for erasing traces of the initial execution as well as launching the stealer by means of a scheduled task.

    Alternate chains utilize Windows shortcuts (LNK) instead of EXE payloads that weaponize a now-patched vulnerability related to how Windows handles such files, resulting in remote code execution. The flaw, tracked as CVE-2025-9491 (aka ZDI-CAN-25373), was addressed by Microsoft as part of its Patch Tuesday updates for November 2025. Evidence unearthed by Trend Micro last year revealed that the shortcoming had been weaponized by a dozen hacking groups since 2017.

    In the attack chain documented by Kaspersky, the shortcut vulnerability is abused to trigger the execution of an obfuscated PowerShell command that launches a loader responsible for displaying a decoy document, while preparing the environment for the execution of the Python stealer. The malware then establishes persistence through a combination of a VBScript file and a scheduled task, as before.

    The stealer, called BusySnake, implements multiple evasion techniques to complicate static analysis and sidestep detection. Its primary goal is to establish communication with a C2 server and then await incoming instructions. It also supports the following functionality –

    • Steal data from the system clipboard.
    • Enumerate files across the system and log their metadata in a local database.
    • Upload user documents to the C2 server.
    • Capture screenshots and stage them in a local directory.
    • Archive captured screenshots and remove previously created archives from the disk.
    • Prevent multiple instances of the stealer from running concurrently on the infected host.
    • Ensure persistence by checking if the scheduled task exists, and if not, drop a VBScript to register a new scheduled task.

    Furthermore, the commands issued by the C2 server allow it to take screenshots at a designated interval, log keystroke data, gather cryptocurrency wallet files with a JSON extension, collect Telegram session and credential data, establish a reverse SSH tunnel using Go2Tunnel, install RustDesk, and extract cookies from Mozilla Firefox and Chromium-based browsers, along with passwords.

    If RustDesk is already installed on the machine, the open-source remote desktop software is started, and the victim is prompted to enter their credentials, following which the stealer grabs a screenshot of the credentials and exfiltrates it to the C2 server.

    “The malware dynamically decrypts its bytecode only at the exact moment a function is called, re-encrypting the data immediately afterward,” Kaspersky said. “Additionally, the malware runs in the background without spawning a console window, as indicated by its PYW file extension.”

    Cybersecurity

    Kaspersky said it also identified a newer version of BusySnake that iterates upon the predecessor’s architectural design to include a new task-management framework to handle incoming C2 commands and dynamically assign them operational statuses, such as SCHEDULED, IN_PROGRESS, SUCCEEDED, or FAILED, for improved reporting back to the server.

    The threat actor’s ties to Eagle Werewolf also stem from overlaps between AquilaRAT and BusySnake Stealer, particularly in the manner both malware families receive tasks from the C2 server, register persistence via scheduled tasks, and utilize similar endpoints for C2 communications.

    There are also signs that the first-stage payloads comprising loaders and stagers were likely generated with assistance from artificial intelligence (AI) tools, given the presence of redundant comments and code blocks.

    “This campaign highlights several concurrent trends: the growing technical maturity of Armored Likho, tool polymorphism, and a shift toward more complex schemes aimed at bypassing security solutions – ranging from Python source code obfuscation to embedding network mechanisms directly into the malware code,” Kaspersky said.

    “In parallel, the group is aggressively refining and modifying its core toolkit. While Go2Tunnel previously operated as a standalone utility, its reverse-tunneling functionality has now been integrated directly into the stealer as a built-in feature that ingests parameters from the C2 server.”

    agencies Armored BusySnake government Likho power Sector Stealer targets
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleOpinion | What Does It Mean to Love America?
    Next Article Sunderland transfer news: Granit Xhaka staying at Stadium of Light after Chelsea bid for Black Cats captain rejected | Football News
    admin
    • Website

    Related Posts

    Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

    July 3, 2026

    Venezuela’s U.S.-Backed Government Struggles to Respond to Earthquakes

    July 3, 2026

    European Parliament Member Investigating Spyware Was Hacked With Pegasus

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Google DeepMind Unionization Talks Are Off to a Rocky Start

    The best and worst times to drive this July 4 weekend are here—and millions will get it wrong

    Trump Intercedes to Push Robert Smullen Out of N.Y. House Race

    All Your Favorite Gadgets Are Getting Way More Expensive … Again

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by