logo

Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign

ID: b4270f61-0da6-5826-8c1f-d4578161287f

STIX ID: report--b4270f61-0da6-5826-8c1f-d4578161287f

Feed Name: Securelist by Kaspersky

Threat Score
82/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: Kaspersky

...
...

**Executive summary:** The report describes an active, targeted phishing campaign by an APT actor dubbed Armored Likho that uses AI-generated first-stage loaders and a previously undocumented Python infostealer (BusySnake Stealer) to compromise government and electric power sector organizations in Russia, Brazil, and Kazakhstan; the malware exfiltrates credentials, cookies, screenshots and files, supports reverse SSH tunneling for persistent remote access, uses PyArmor-based obfuscation and in-memory execution to evade detection, and includes numerous IOCs and C2 domains/IPs for detection and response.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.