Armored Likho is a previously undocumented threat actor targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan with espionage and financially motivated campaigns. Its toolkit includes obfuscated RATs, BusySnake Stealer, AquilaRAT, and Go2Tunnel, with attacks delivered through spear-phishing, GitHub-hosted payloads, and abused Windows shortcut chains. #ArmoredLikho #BusySnakeStealer #AquilaRAT #Go2Tunnel #EagleWerewolf #CVE-2025-9491
Keypoints
- Armored Likho targets government and electric power organizations in multiple countries.
- The group uses modular RATs, infostealers, and tunneling tools to maintain access.
- BusySnake Stealer steals clipboard data, screenshots, cookies, passwords, and Telegram data.
- Attack chains rely on spear-phishing, droppers, scheduled tasks, and patched shortcut abuse.
- Evidence suggests overlap with Eagle Werewolf and possible AI-assisted payload development.
Read More: https://thehackernews.com/2026/07/armored-likho-targets-government.html