BusySnake Stealer Targets Browser Passwords, Cookies, Telegram Sessions, and Crypto Keys
ID: 8a7421a6-1c66-591c-ac89-0eb4fead2046
STIX ID: report--8a7421a6-1c66-591c-ac89-0eb4fead2046
Feed Name: Cyber Press
This report analyzes BusySnake, a sophisticated Python-based infostealer used by the Armored Likho APT to harvest browser credentials, cookies, Telegram sessions, clipboard data, screenshots, and cryptocurrency keys. Infections begin via spear-phishing archives containing NSIS-built EXE droppers or malicious LNK shortcuts that deploy an embedded Python 3.12 runtime and PyArmor-protected bytecode; the malware supports modular exfiltration and persistent C2 polling. The actor targets government and critical infrastructure (notably the electric power sector in Russia, Brazil, and Kazakhstan), and defenders are advised to hunt for anomalous NSIS installers, staged Python runtimes under %APPDATA%, LNK execution chains, and frequent VBScript scheduled-task launchers, while assuming credential and session compromise when indicators are found.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
