HLD Shield · Threat briefing · 4 July 2026Active campaignCredential theft

Armored Likho: BusySnake stealer targets government and the power sector

A previously undocumented threat actor is running espionage campaigns against government agencies and electric power organisations across Russia, Brazil, and Kazakhstan — using a new Python-based infostealer engineered to defeat dynamic analysis, spread via spear-phishing and a patched Windows shortcut flaw. If your patch baseline predates November 2025, one of its two attack chains works against you today.

Armored Likho · Eagle WerewolfBusySnake Stealer · AquilaRATCVE-2025-9491 (LNK)Government · Energy

Executive summary

On 3 July 2026, Kaspersky published a technical analysis attributing attacks on government agencies and the electric power sector across Russia, Brazil, and Kazakhstan to a previously undocumented threat actor it tracks as Armored Likho. The group is unusual in that it blends financially motivated campaigns against private individuals with targeted cyber espionage against organisations — and its toolkit is built around obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis.

At the centre of the current campaign is BusySnake Stealer, a previously unreported Python-based infostealer for Windows. Beyond broad data theft, it can raise a reverse SSH tunnel to its command-and-control server (integrating what was previously a standalone utility, Go2Tunnel, directly into the malware), install or hijack RustDesk for hands-on remote access, and dynamically deliver modules tailored to the victim's profile.

Kaspersky assesses possible overlaps with Eagle Werewolf, a cluster tracked by BI.ZONE since May 2023 with a record of targeting government and defence organisations — particularly those involved in UAV development — and of distributing malware through compromised Telegram channels. The overlaps include how both AquilaRAT and BusySnake receive C2 tasks, register persistence via scheduled tasks, and use similar C2 endpoints. The actor's exact origins remain unknown.

HLD assesses this campaign as a planning-relevant signal for government and critical-infrastructure operators generally: the tradecraft — analysis-resistant Python malware, abuse of legitimate remote-access tooling, GitHub-hosted staging, and indications of AI-assisted payload development — is portable well beyond the currently observed victim geography.

How the attack chains work

Initial access is spear-phishing, with lures themed as official government notices or social programs. Two chains have been documented:

Chain A — EXE droppers

A RAR archive delivers EXE binaries acting as droppers, which retrieve additional payloads — including the stealer — from a GitHub repository. The dropper writes two VBScript files: one erases traces of the initial execution; the other launches the stealer via a scheduled task.

Chain B — LNK shortcut exploiting CVE-2025-9491

Windows shortcut (LNK) files weaponise a now-patched flaw in how Windows handles shortcuts — CVE-2025-9491 (ZDI-CAN-25373), fixed in Microsoft's November 2025 Patch Tuesday and previously weaponised by roughly a dozen groups since 2017 per Trend Micro. The shortcut triggers an obfuscated PowerShell command that launches a loader, displays a decoy document, and prepares the environment for the Python stealer. Persistence again lands as a VBScript plus scheduled task.

BusySnake runs windowless (a PYW file extension), decrypts its bytecode only at the exact moment a function is called and re-encrypts it immediately afterward, and awaits C2 tasking once installed. A newer variant adds a task-management framework that assigns incoming commands operational statuses — SCHEDULED, IN_PROGRESS, SUCCEEDED, FAILED — for cleaner reporting back to the operator.

What BusySnake can do on a compromised host

  • Steals data from the system clipboard
  • Enumerates files across the system and logs their metadata in a local database
  • Uploads user documents to the C2 server
  • Captures screenshots on demand or at a C2-designated interval, staging and archiving them locally
  • Logs keystrokes and harvests cryptocurrency wallet files with a JSON extension
  • Collects Telegram session and credential data
  • Extracts cookies and passwords from Mozilla Firefox and Chromium-based browsers
  • Establishes a reverse SSH tunnel — Go2Tunnel functionality now built directly into the stealer
  • Installs RustDesk, or abuses an existing install: victims are prompted for credentials, and the stealer screenshots and exfiltrates them
  • Guards against multiple concurrent instances and re-registers its scheduled task via VBScript if persistence is removed

What to do about it

01

Confirm CVE-2025-9491 (Windows LNK) is patched estate-wide

One of the two documented attack chains weaponises the Windows shortcut flaw patched in November 2025. Verify the November 2025 (or later) cumulative updates are applied across all Windows endpoints — including OT-adjacent engineering workstations in power and utilities environments, which frequently lag on patching.

02

Tighten email gateway handling of RAR archives and LNK files

Initial access is spear-phishing with lures themed as official government notices or social programs, delivering RAR archives containing EXE droppers or malicious shortcuts. Block or quarantine RAR and LNK attachments at the gateway where business processes allow, and sandbox-detonate them where they cannot be blocked outright.

03

Hunt for the persistence pattern: scheduled tasks paired with VBScript

Across both chains, BusySnake persists through a scheduled task registered by a dropped VBScript, with additional VBScript files used to erase traces of initial execution. Hunt for recently created scheduled tasks launching Python or PYW payloads, and for VBScript files written to user-writable paths around task creation events.

04

Watch egress to GitHub, SSH tunnels, and remote-access tooling

Second-stage payloads are retrieved from a GitHub repository, and the stealer can raise a reverse SSH tunnel or install RustDesk on command. Baseline and alert on unexpected GitHub raw-content downloads from servers and non-developer endpoints, outbound SSH from unusual hosts, and unauthorised RustDesk installations or launches.

05

Reduce the credential blast radius now

BusySnake targets browser cookies and passwords, Telegram sessions, and crypto wallet files. Enforce phishing-resistant MFA, move privileged access away from browser-stored credentials, and treat any confirmed infection as a full credential-rotation event — including session tokens, not just passwords.

Campaign timeline

May 2023

BI.ZONE begins tracking a cluster it names Eagle Werewolf — a group targeting government and defence organisations, particularly those involved in UAV development and manufacturing, using droppers, remote access trojans, and SSH-tunnelling utilities. Compromised Telegram channels are among its distribution methods.

November 2025

Microsoft patches CVE-2025-9491 (ZDI-CAN-25373), a Windows shortcut (LNK) handling flaw enabling remote code execution. Trend Micro research shows the weakness had been quietly weaponised by roughly a dozen hacking groups since 2017.

February 2026

Eagle Werewolf compromises a drone-focused Telegram channel to distribute AquilaRAT via a Rust dropper posing as a checklist for Starlink device activation. The group also deploys Go2Tunnel to establish reverse SSH tunnels to command-and-control infrastructure using a private key.

3 July 2026

Kaspersky publishes a technical analysis attributing a campaign against government agencies and the electric power sector across Russia, Brazil, and Kazakhstan to a previously undocumented actor it names Armored Likho — and documents a new Python-based infostealer, BusySnake, at the centre of the campaign.

4 July 2026

HLD Shield issues this briefing. The campaign is assessed as active, with the actor iterating rapidly on its toolkit — including a newer BusySnake build with a task-management framework for C2 command handling.

HLD assessment

Campaign statusActive
Primary motiveEspionage + financial
Regions observedRU · BR · KZ
SectorsGovernment · Power
Exploited CVECVE-2025-9491
Patch availableYes — Nov 2025

Risk amplifiers

Government and power sector targeting

Confirmed victims span government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. Critical-infrastructure operators should treat the tradecraft — not the current victim geography — as the planning signal.

Espionage blended with financial theft

Armored Likho mixes targeted cyber espionage against organisations with financially motivated campaigns against private individuals — widening its victim pool and making its infrastructure harder to profile.

Living off legitimate tooling

GitHub-hosted payloads, RustDesk remote access, and SSH tunnelling all blend with legitimate enterprise traffic — degrading the value of naive allow-listing and reputation-based controls.

Runtime-encrypted, analysis-resistant malware

BusySnake decrypts its bytecode only at the moment a function is called and re-encrypts immediately after, runs windowless via a PYW extension, and layers obfuscation specifically engineered to defeat dynamic analysis.

Signs of AI-assisted development

Kaspersky notes the first-stage loaders and stagers were likely generated with AI assistance, based on redundant comments and code blocks — pointing to a faster, cheaper iteration cycle for new payload variants.

Rapidly maturing toolkit

A newer BusySnake build adds a task-management framework that assigns C2 commands operational statuses (SCHEDULED, IN_PROGRESS, SUCCEEDED, FAILED) — evidence of active, professionalised development.

Need HLD support?

HLD can assist with patch-baseline verification, persistence hunting, egress-control review, and credential-exposure response — scoped to your environment through HLD Shield.

Contact HLD

Autonomous defence

Stealer campaigns move from phish to credential theft in minutes. HLD Sentinel contains identity and endpoint anomalies autonomously — before exfiltration completes.

Explore HLD Sentinel

HLD Shield briefings are interpretive intelligence summaries based on publicly available information and HLD analytical assessment. They do not constitute formal vulnerability assessments or legal advice. Organisations should validate findings against their own environment and engage qualified advisers for remediation decisions. Published 4 July 2026.

More HLD Shield briefings

Stay across the full threat intelligence picture.

Back to HLD Shield