THIS article discusses the discovery of a new phishing campaign linked to the Armored Likho APT group, which focuses on government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The campaign utilizes a modular RAT and infostealer, named BusySnake Stealer, to bypass security measures and steal sensitive information like passwords and cookies from users' browsers. Infection methods include phishing emails containing malicious attachments such as EXE and LNK files.
The BusySnake Stealer features advanced obfuscation and evasion tactics, operates under the guise of legitimate system processes, and incorporates AI-generated elements in its initial payloads. Kaspersky provides detection recommendations and highlights the ongoing threat posed by Armored Likho.