C2 administration panel sign-in form | Image: Kaspersky Labs
At a Glance
- Actor or group: Armored Likho APT (suspected)
- Activity type: Spear-phishing and information theft
- Targets or victims: Government agencies and the electric power sector
- Scale: Global operations across Russia, Brazil, and Kazakhstan
- Jurisdiction or law-enforcement status: Active investigation
- Source: Kaspersky Labs
TL;DR
Security researchers from Kaspersky Labs discovered a fresh phishing campaign spreading the previously undocumented BusySnake Stealer. Specifically, the attackers target government networks and power grids using malicious archives. Ultimately, the malware steals sensitive browser data and establishes remote access to compromised machines.
What Happened
Researchers recently detected a new wave of spear-phishing emails aimed at high-value organizations. These emails contain deceptive archives with themes like humanitarian aid or psychological tests. When a user opens the attachment, a hidden script runs silently in the background. Consequently, this script downloads the main malicious payload directly from GitHub repositories.
The primary weapon is a Python-based information stealer. Security analysts named this tool BusySnake Stealer. “The downloaded archives are extracted into the $appdata\WindowsHelper directory,” the official report states. This folder becomes the staging ground for the malware.
Stealing Passwords and Keys
Once active, the malware uses PyArmor to hide its true instructions. First, it ensures only one instance runs on the infected system. Next, it immediately starts harvesting data from the system clipboard. The malware also maps the entire local file system. It specifically hunts for 64-character hexadecimal keys and cryptocurrency wallets. Additionally, the stealer forces Chromium-based browsers and Firefox to decrypt saved passwords.
The C2 server sends commands using specific function names. For example, the malware receives a command to steal Firefox passwords. It then exploits an insecure practice within the browser itself. Firefox stores its master key in plaintext. Therefore, the malware decrypts all saved credentials without triggering any user prompts.
Establishing Remote Control
The attackers also built a feature to install malicious browser extensions. These hidden extensions quietly harvest active session cookies. Furthermore, the malware can create reverse SSH tunnels. This tunnel grants the hackers direct remote access to the host. Finally, the malware sends all stolen information back to a central command server.
Who is Behind It
Analysts attribute this campaign to the Armored Likho group with medium confidence. Security teams also know this threat actor as Eagle Werewolf.
The attackers allegedly use artificial intelligence tools to write their initial loaders. The source code contains strange comments and bullet-point emojis. This specific coding style strongly suggests the use of large language models. Therefore, AI helps them rapidly create new variations of their attack chain.
Researchers linked the new stealer to older tools used by Armored Likho. Previously, the group used a reverse SSH tool called Go2Tunnel. The new stealer includes this exact tunneling feature built directly into its code. Both tools share identical command line arguments. Additionally, the stealer shares structural similarities with AquilaRAT, another known tool.
Impact or Scale
The exact number of compromised machines remains unclear at this time. However, the geographical footprint of the attacks spans Russia, Brazil, and Kazakhstan. “This targeted campaign focuses heavily on government agencies and the electric power sector,” researchers noted in their report.
The financial impact could be massive due to the theft of cryptocurrency wallets. The attackers mix financially motivated theft with targeted cyber-espionage. They steal passwords, session cookies, and secure access tokens. As a result, they can hijack sensitive government accounts easily. They also gain control over critical national infrastructure systems.
What Comes Next
Armored Likho continues to update its attack methods constantly. Recently, they changed how the malware maintains persistence. Instead of using basic scheduled tasks, they now interact directly with hidden COM objects. This architectural change makes detection much harder for traditional antivirus software.
Organizations must train employees to recognize spear-phishing emails immediately. Security teams should monitor network traffic for unexpected SSH connections. Specifically, they need to watch for unusual communication with external IP addresses. Companies should also enforce strict policies on browser data storage. Users must avoid saving sensitive passwords directly in their web browsers. Lastly, network administrators must block the unauthorized execution of Python scripts on endpoints.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.