Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign
ID: b4270f61-0da6-5826-8c1f-d4578161287f
STIX ID: report--b4270f61-0da6-5826-8c1f-d4578161287f
Feed Name: Securelist by Kaspersky
**Executive summary:** The report describes an active, targeted phishing campaign by an APT actor dubbed Armored Likho that uses AI-generated first-stage loaders and a previously undocumented Python infostealer (BusySnake Stealer) to compromise government and electric power sector organizations in Russia, Brazil, and Kazakhstan; the malware exfiltrates credentials, cookies, screenshots and files, supports reverse SSH tunneling for persistent remote access, uses PyArmor-based obfuscation and in-memory execution to evade detection, and includes numerous IOCs and C2 domains/IPs for detection and response.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
