Verticals Targeted: Government, Electric, Energy, Critical Infrastructure
Regions Targeted: Russia, Kazakhstan, Brazil
Related Threat Actors: Armored Likho
Related Families: BusySnake
Executive Summary
Researchers have identified an active phishing campaign introducing a previously undocumented Python-based infostealer dubbed BusySnake Stealer. Targeting government agencies and electric power organizations across Russia, Kazakhstan, and Brazil, the campaign combines AI-assisted first-stage loaders, modular malware, GitHub-hosted payload delivery, and advanced credential theft capabilities. The operation demonstrates the group's continued technical evolution and highlights how increasingly modular malware can complicate traditional signature-based detection while reinforcing the importance of behavioral analytics and threat intelligence.
Key Takeaways
- New BusySnake Stealer attributed with medium confidence to Armored Likho.
- The campaign targets government and electric power organizations in Russia, Kazakhstan, and Brazil.
- Spear-phishing emails deliver malicious EXE or LNK files disguised as legitimate documents.
- BusySnake steals browser credentials, cookies, Telegram sessions, cryptocurrency wallet files, and OTP secrets.
- Evidence suggests large language models (LLMs) were used to assist development of first-stage loaders.
Background
Kaspersky researchers uncovered an active spear-phishing campaign linked with medium confidence to the Armored Likho threat group. The actor has historically conducted both financially motivated campaigns targeting individuals and cyber-espionage operations against government organizations. This latest campaign demonstrates continued operational maturity through modular malware development, improved persistence mechanisms, and indicators suggesting that large language models (LLMs) were used to assist in generating first-stage malware components.
Confirmed victims have been identified within government and electric power organizations located in Russia, Kazakhstan, and Brazil. Initial access relies primarily on spear-phishing emails containing ZIP or RAR archives that deliver either self-extracting executable droppers or malicious Windows shortcut (LNK) files disguised as legitimate documents, including psychological tests, humanitarian aid requests, and official notices. Although the delivery mechanisms differ, both ultimately deploy BusySnake Stealer by downloading a Python runtime, installing required dependencies, establishing persistence through scheduled tasks, and executing the malware from the user's AppData directory.
What is BusySnake?
BusySnake Stealer is a previously undocumented Python-based infostealer built around a modular architecture that separates functionality into individual handlers responsible for reconnaissance, persistence, credential theft, remote access, and data exfiltration.
The malware is protected using PyArmor Pro, which dynamically decrypts executable bytecode only when individual functions are called before immediately re-encrypting them. Combined with execution through a Python PYW file that suppresses the console window, these techniques complicate static analysis while reducing the malware's visibility during execution.
BusySnake includes functionality to:
- Capture clipboard contents
- Inventory local files and directories
- Collect screenshots
- Steal browser credentials
- Extract browser cookies
- Exfiltrate user documents
- Locate cryptocurrency wallet files
- Harvest Telegram session data
- Search for one-time password (OTP) secrets
- Establish reverse SSH tunnels
- Abuse RustDesk for remote access
One notable capability involves scanning local files for 64-character hexadecimal strings using regular expression matching. These values may represent cryptographic material, API tokens, or other hexadecimal secrets that could support follow-on intrusion activity.
BusySnake extracts credentials from both Chromium-based browsers and Firefox. For Chromium browsers, it leverages Windows Data Protection API (DPAPI) to decrypt locally protected credentials. Firefox credentials are recovered through the browser's Network Security Services (NSS) libraries when a master password is not configured. The malware similarly harvests browser cookies through direct database extraction and an additional module that installs a malicious browser extension to collect active session cookies before transmitting them to C2 infrastructure.
The malware continuously polls its C2 server for new tasks, allowing operators to dynamically execute credential theft, screenshot collection, reverse proxy creation, remote desktop operations, additional Python scripts, and other post-compromise activities without redeploying malware.
Who is Armored Likho?
Armored Likho, also known as Eagle Werewolf, is a suspected advanced persistent threat (APT) group that has primarily targeted government organizations and critical infrastructure through cyber-espionage campaigns, while also conducting financially motivated operations against private individuals. Researchers attribute the BusySnake campaign to Armored Likho with medium confidence based on multiple technical overlaps with previously documented activity, including similarities to the Go2Tunnel reverse SSH utility, architectural characteristics shared with AquilaRAT, and comparable persistence mechanisms that masquerade as legitimate Microsoft scheduled tasks.
Evolving Tradecraft
One of the most significant aspects of this campaign is the apparent evolution of Armored Likho's development workflow. Kaspersky researchers identified multiple indicators suggesting that first-stage loaders were generated with assistance from large language models. These indicators include unusually verbose inline comments, structured formatting, and emoji-based bullet points that are uncommon in traditionally developed malware. While this does not conclusively prove autonomous AI-generated malware, it strongly suggests LLMs are being used to accelerate development of disposable delivery components. The group's core malware, however, continues to demonstrate characteristics consistent with experienced malware development.
BusySnake also consolidates capabilities that previously existed as standalone tools. Earlier Armored Likho campaigns relied on the Go2Tunnel utility to establish reverse SSH tunnels. BusySnake now incorporates equivalent functionality directly into the malware, allowing attackers to receive tunneling parameters from the C2 server while reducing operational complexity.
Researchers additionally identified a newer BusySnake variant that introduces several refinements, including COM-based scheduled task creation instead of direct schtasks execution, delayed execution to evade automated sandbox analysis, in-memory execution of downloaded Python scripts, improved task management, and updated C2 communications. These changes reflect continued investment in stealth and operational flexibility.
Analyst Commentary
Armored Likho continues to demonstrate a deliberate evolution rather than a dramatic shift in capability. While BusySnake introduces meaningful technical enhancements, the broader trend is the increasing modularization of malware and the consolidation of previously independent tools into adaptable platforms capable of supporting multiple post-compromise objectives.
The apparent use of LLM-assisted development is particularly significant. Rather than replacing experienced malware developers, AI appears to be accelerating production of disposable first-stage loaders while human operators continue refining the more sophisticated components responsible for persistence, credential theft, remote access, and command execution. This hybrid development model could shorten malware development cycles, increase payload variation, and complicate traditional static detection without fundamentally changing attacker tradecraft.
The campaign also reinforces a broader industry trend toward malware that increasingly relies on behavioral evasion rather than binary uniqueness. BusySnake's use of obfuscated Python code, dynamic dependency installation, GitHub-hosted staging infrastructure, scheduled-task persistence, and memory-only execution demonstrates how modern malware can rapidly evolve while remaining operationally flexible.
For defenders, campaigns such as BusySnake highlight the need for layered detection strategies that extend beyond traditional antivirus signatures. PolySwarm's crowdsourced multi-engine malware analysis enables security teams to rapidly compare verdicts across dozens of detection engines, identify suspicious payloads that may evade individual vendors, and gain earlier visibility into emerging malware families before broad signature coverage becomes available. As threat actors continue integrating AI-assisted development with increasingly modular malware architectures, combining behavioral telemetry with diverse malware intelligence will become increasingly important for reducing detection gaps, accelerating investigation, and improving overall cyber resilience.
IOCs
PolySwarm has multiple samples of the loader and other files used in this campaign’s attack chain.
af09e6bb864e64aa6bc2d736deb5713a97c984da2d2f6054d3229315e5ee2eda
3ec02d6bed160a97edea549ec88c46f10105f6cdf6a4b3f356b2fc6a4a14f386
5eb161bb76225defc198d27fc490742f61b62e6296c84c14019f38c3fecd4049
8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79
00ccbf72b8a0f0314d829766775889bbe9c964ce7b499ff26ba12fb62cadf906
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.