**Unpacking Armored Likho: A New Threat Actor Targeting Governments and Power Grids**
In the ever-evolving landscape of cyber threats, a previously unknown adversary has emerged, conducting sophisticated campaigns against governments and critical infrastructure. Security researchers at Kaspersky have identified this actor as **Armored Likho**, a threat group employing a diverse and evolving toolkit to target entities in Russia, Brazil, and Kazakhstan. Their operations reveal a blend of financially motivated attacks and targeted cyber-espionage, marking a significant danger to both public and private sectors.
### A Hybrid Threat: Espionage and Financial Gain
Armored Likho’s strategy is not monolithic; it combines broad financial scams with precise espionage missions. The group actively targets private individuals to steal funds while simultaneously pursuing cyber-espionage objectives against organizations. This dual approach allows them to maximize their gains while probing for sensitive intelligence.
Their technical sophistication is evident in their custom toolset. The malware they employ is heavily obfuscated and modular, designed to bypass modern security defenses. Specifically, their Remote Access Trojans (RATs) and infostealers are engineered to evade dynamic analysis, making them difficult to detect and analyze in a laboratory environment.
### Infrastructure and Delivery: From Phishing to Persistence
The attack chain typically begins with **spear-phishing emails** that impersonate official government notices or social program alerts. These emails deliver a RAR archive containing executable droppers. Once executed, these droppers fetch additional payloads— including the notorious **BusySnake Stealer**—from a GitHub repository.
To maintain persistence and hide their activities, the malware creates Visual Basic Script (VBScript) files that erase traces of the initial infection and launch the stealer via a scheduled task. Kaspersky also noted the exploitation of a critical Windows vulnerability, tracked as **CVE-2025-9491**, which allows for remote code execution through malicious Windows shortcuts (LNK files). Although Microsoft patched this flaw in late 2025, it has been weaponized by numerous threat groups since 2017.
### The BusySnake Stealer: A Modular Workhorse
At the heart of Armored Likho’s operations is **BusySnake Stealer**, a Python-based information stealer with alarming capabilities. According to the Kaspersky report, this malware can:
* Capture keystrokes and steal credentials.
* Harvest data from the system clipboard.
* Upload user documents and capture screenshots.
* Archive and delete evidence to avoid detection.
* Prevent multiple instances from running on the same host.
A newer, more advanced version of BusySnake introduces a task-management framework, allowing it to dynamically assign statuses (like *SCHEDULED* or *IN_PROGRESS*) to commands received from the Command and Control (C2) server. This allows the attacker to efficiently manage multiple compromised systems.
### Connections to “Eagle Werewolf”
Kaspersky noted significant overlaps between Armored Likho and a threat cluster monitored by BI.ZONE under the name **Eagle Werewolf**. Active since May 2023, Eagle Werewolf specifically targets government and defense organizations, particularly those involved in UAV (drone) development.
The connections between the two groups are strong:
* **Shared Tactics:** Both utilize Go2Tunnel for reverse SSH tunneling to maintain C2 communication.
* **Shared Lineage:** Evidence suggests Armored Likho and Eagle Werewolf share common malware strains, such as AquilaRAT.
* **AI-Aided Development:** Researchers observed that the initial payloads used by Armored Likho appear to be generated with the assistance of **AI tools**, featuring redundant comments and code blocks that suggest automated generation.
In a specific incident observed in early 2026, Eagle Werewolf compromised a drone-focused Telegram channel, distributing AquilaRAT via a Rust dropper disguised as a Starlink activation checklist.
### Conclusion
Armored Likho represents a growing threat to global stability, capable of disrupting government functions and critical energy sectors. Their shift toward more complex evasion techniques—such as embedding network tunneling directly into their stealer malware and leveraging AI for code generation—signals a maturing and more dangerous threat landscape. Organizations in targeted regions must remain vigilant against these multi-faceted attack vectors.
***
**Original Article Source:** Kaspersky’s analysis of the Armored Likho threat actor, detailing their tactics, techniques, and procedures (TTPs), as published on their official security website.
**Title:** Unpacking Armored Likho: A New Threat Actor Targeting Governments and Power Grids **Sources:**
– Kaspersky Technical Analysis: [Link to Kaspersky Report on Armored Likho]
– BI.ZONE Intelligence: [Link to BI.ZONE Report on Eagle Werewolf]
– Trend Micro Vulnerability Research: [Link to Trend Micro on CVE-2025-9491]



