← All stories
● Covered by 1 source Β· 1 reportHigh impact

Armored Likho Targets Governments, Power Sector with BusySnake Stealer

Aggregated by BrevFeed security Β· updated 6h ago
πŸ”– Save

Armored Likho is attributed to cyber attacks against government agencies and the power sector in Russia, Brazil, and Kazakhstan. The group utilizes advanced malware techniques, including BusySnake Stealer and tools like Go2Tunnel, to maintain persistent access and steal sensitive data.

Key points

Overview of Armored Likho's Activities

Armored Likho has been linked to cyber attacks across Russia, Brazil, and Kazakhstan, focusing on government agencies and the electric power sector. This previously undocumented threat actor utilizes a combination of financially motivated campaigns and targeted cyber espionage, as highlighted by Kaspersky's recent report.

Malware and Tools Utilized

The threat actor employs a sophisticated toolkit, including the BusySnake Stealer, which targets Windows systems. One version of this malware incorporates a module for stealing cookies from web browsers, enhancing its capability for data exfiltration. Additional tools, such as Go2Tunnel, are used for remote access and maintaining a command-and-control infrastructure.

Attack Methodology

Attacks typically start with spear-phishing emails containing lures related to official notices, delivering malicious RAR archives. These archives unpack EXE binaries that act as droppers for various payloads, which can be retrieved from GitHub repositories, enabling the installation of additional malware.

Connection to Other Threat Groups

Kaspersky noted possible overlaps between Armored Likho and a similar group known as Eagle Werewolf. Both groups focus on targeting government and defense organizations, particularly those linked to UAV development. Eagle Werewolf has also shown capabilities for malware distribution via compromised Telegram channels.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

CVE CVE-2025-94917.8 HIGH CVE CVE-2026-552008.1 HIGH CVE CVE-2026-468179.8 CRITICAL

Reporting from

Armored Likho is attributed to cyber attacks against government agencies and the power sector in Russia, Brazil, and Kazakhstan. The group utilizes advanced malware techniques, including BusySnake Stealer and tools like Go2Tunnel, to maintain persistent access and steal sensitive data.