A previously undocumented advanced persistent threat (APT) group has been quietly breaching government agencies and electric power providers across at least three countries. Dubbed Armored Likho APT by researchers at Kaspersky, the actor blends financial theft with espionage, using a flexible toolkit that evolves on the fly.
Armored Likho’s operations stretch from Russia to Brazil and Kazakhstan. The group targets both individuals, for monetary gain, and larger organizations, for intelligence. Its arsenal includes modular remote access trojans (RATs) and information stealers, most notably a Python-based payload Kaspersky tracks as BusySnake Stealer.
This isn’t a one-trick pony. The malware stack allows the attackers to maintain stealthy control over compromised machines, siphon credentials, and deploy additional modules tailored to each victim. Kaspersky’s analysis, published in early July 2026, details how the group achieves this with surprising agility.
How Armored Likho Gets In
The primary entry vector is spear-phishing. Emails carry archives containing executable files or LNK shortcuts. When a target opens the attachment, a decoy document appears on screen. Behind the scenes, the real payload installs silently.
One loader, injected directly into memory, was observed fetching additional archives from public GitHub repositories. Those repos held early development builds and test samples. Another method uses LNK files that pull down a full Python 3.12 interpreter and a malicious archive while displaying a fake document to the user.
BusySnake Stealer: The Core Weapon
The centerpiece of Armored Likho’s toolset is BusySnake Stealer, a Python-based infostealer packed with evasion tricks. It decrypts bytecode only when a specific function is called, then re-encrypts it immediately after execution. The process runs without a console window, keeping it out of sight.
BusySnake relies on multiple handlers for different tasks. These include clipboard theft, file enumeration, extraction of 64-character hexadecimal keys, document exfiltration, screenshot capture and archiving, persistence checks, and general command execution.
Commands from the C&C server can trigger a wide range of actions: capturing screenshots, exfiltrating logged keystrokes, decrypting stored passwords from Chromium-based and Firefox browsers, stealing cookies, scraping the machine for OTP keys, locating cryptocurrency wallets, harvesting Telegram sessions and credentials, establishing a reverse SSH tunnel, or even restarting RustDesk to capture user credentials.
From Go2Tunnel to Full Control
Earlier campaigns relied on a separate tool called Go2Tunnel to set up reverse SSH tunnels. Armored Likho has since folded that capability directly into BusySnake Stealer. The infostealer now provides persistent remote access and interactive control over the victim’s system without needing a secondary utility.
Overlap With Eagle Werewolf
Kaspersky notes that Armored Likho’s operations show overlap with a known hacking group called Eagle Werewolf. That group previously used a RAT named AquilaRAT, which shares structural similarities and persistence mechanisms with BusySnake Stealer. The connection suggests the same developers may be behind both toolkits.
The shift toward modular, Python-based malware is a trend worth watching. It gives attackers the flexibility to swap components quickly and evade signature-based detection. For defenders in the government and electric power sectors, this means staying ahead of an adversary that adapts its code as easily as it changes its targets.
As Armored Likho continues to refine its methods, organizations should prioritize email security, monitor for unusual GitHub repository access, and keep an eye out for the telltale signs of BusySnake Stealer deployment.