securelist.com 7/3/2026, 10:21:17 AM · external

Armored Likho deploys BusySnake Stealer via phishing emails

Armored Likho deploys BusySnake Stealer via phishing emails
CyberSIXT Evidence Panel Source marked as original reporting
Threat Actor
Armored Likho

THIS article discusses the discovery of a new phishing campaign linked to the Armored Likho APT group, which focuses on government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The campaign utilizes a modular RAT and infostealer, named BusySnake Stealer, to bypass security measures and steal sensitive information like passwords and cookies from users' browsers. Infection methods include phishing emails containing malicious attachments such as EXE and LNK files.

The BusySnake Stealer features advanced obfuscation and evasion tactics, operates under the guise of legitimate system processes, and incorporates AI-generated elements in its initial payloads. Kaspersky provides detection recommendations and highlights the ongoing threat posed by Armored Likho.

View full article

Article by CyberSIXT