All incidents

Armored Likho APT deploys BusySnake Stealer against power sector

campaignopenJul 3, 2026 — Jul 6, 2026
Armored Likho APT deploys BusySnake Stealer against power sector

ARMORED Likho, an advanced persistent threat group, has been observed deploying the BusySnake Stealer malware against government and electric power organisations in Russia, Brazil and Kazakhstan, with activity first detected on 3 July 2026 and continuing through 6 July 2026. The campaign combines financially motivated theft with cyber‑espionage goals, posing a direct risk to critical infrastructure and sensitive state data.

BusySnake Stealer functions as a modular remote access trojan and information stealer, capable of harvesting clipboard contents, extracting stored passwords and browser cookies, and establishing reverse SSH tunnels for persistent, covert control. Initial infection relies on spear‑phishing emails that carry malicious executable or LNK files masquerading as legitimate documents, a technique highlighted in the Securelist analysis.

The malware employs heavy obfuscation and evasion tactics, often disguising its processes as trusted system utilities and incorporating AI‑generated components in its dropper to hinder static detection. Kaspersky’s research notes that the stealer can maintain footholds even after reboots by leveraging legitimate authentication mechanisms, making traditional signature‑based tools less effective.

Observed activity overlaps with tactics previously associated with the Eagle Werewolf group, suggesting possible collaboration or shared toolsets between the two clusters. Targeting of power sector entities raises concerns about potential disruption to energy supply chains, while the theft of governmental credentials could enable broader espionage campaigns.

Defenders should enforce strict email attachment policies that block executable and LNK files from unknown senders, and deploy application allowlisting to prevent unauthorized binaries from executing. Monitoring network traffic for unexpected outbound SSH connections, especially those using non‑standard ports, can help uncover the reverse tunneling used by BusySnake Stealer for command and control.

Additionally, organisations are urged to enforce multi‑factor authentication on privileged accounts, segment operational technology networks from corporate IT, and conduct regular phishing awareness training that highlights the specific lure tactics employed by Armored Likho. Sharing indicators of compromise from the Securelist report with sector‑wide information sharing centres will improve collective defence against this ongoing threat.

Intelligence briefing updated Jul 6, 2026

Armored Likho
Root sourcesecurelist.com
Timeline Coverage

Swipe to explore timeline