A recently identified advanced persistent threat (APT) named Armored Likho targets government and electric power organizations across Russia, Brazil, and Kazakhstan. This group employs both financially motivated attacks and cyber-espionage methods. Their toolkit includes remote access trojans (RATs) like BusySnake Stealer, enabling stealthy control and data exfiltration from compromised systems. For initial access, they primarily use spear-phishing, often distributing malicious executables disguised as safe files.
BusySnake Stealer features advanced malware techniques including clipboard theft, password extraction, and reverse SSH tunneling for maintaining persistence. The operations of Armored Likho show similarities with another hacking group, Eagle Werewolf, suggesting potential collaboration or shared tactics.