logo

Armored Likho APT Deploys BusySnake Stealer Against Government and Power Sector Targets

ID: 71bc6812-8a41-57bb-be34-55d60863767c

STIX ID: report--71bc6812-8a41-57bb-be34-55d60863767c

Feed Name: GBHackers

Threat Score
85/100

Date Published: 2026-07-04

Date Updated: 2026-07-04

Author: Mayura Kathir

...
...

A newly identified APT, Armored Likho (aka Eagle Werewolf), is conducting targeted spear-phishing against government and electric power organizations in Russia, Brazil, and Kazakhstan, using NSIS EXE droppers and malicious LNK shortcuts to deploy a Python-based infostealer (BusySnake) alongside RATs and tunneling tools; payloads are staged on GitHub and protected with PyArmor, and the actor employs persistence, scheduled tasks, continuous C2 polling, and AI-assisted loader generation to support credential and data exfiltration, posing a high risk to critical infrastructure and sensitive information.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.