logo

BusySnake Stealer Targets Browser Passwords, Cookies, Telegram Sessions, and Crypto Keys

ID: 8a7421a6-1c66-591c-ac89-0eb4fead2046

STIX ID: report--8a7421a6-1c66-591c-ac89-0eb4fead2046

Feed Name: Cyber Press

Threat Score
85/100

Date Published: 2026-07-04

Date Updated: 2026-07-04

Author: Mayura

...
...

This report analyzes BusySnake, a sophisticated Python-based infostealer used by the Armored Likho APT to harvest browser credentials, cookies, Telegram sessions, clipboard data, screenshots, and cryptocurrency keys. Infections begin via spear-phishing archives containing NSIS-built EXE droppers or malicious LNK shortcuts that deploy an embedded Python 3.12 runtime and PyArmor-protected bytecode; the malware supports modular exfiltration and persistent C2 polling. The actor targets government and critical infrastructure (notably the electric power sector in Russia, Brazil, and Kazakhstan), and defenders are advised to hunt for anomalous NSIS installers, staged Python runtimes under %APPDATA%, LNK execution chains, and frequent VBScript scheduled-task launchers, while assuming credential and session compromise when indicators are found.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.