A previously unidentified cyber threat actor, dubbed Armored Likho, has been implicated in a series of attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. This group employs a blend of financially motivated campaigns aimed at individuals and targeted cyber espionage against organizations.
Armored Likho’s toolkit includes obfuscated, modular remote access trojans (RATs) and information stealers designed to evade dynamic analysis. Notably, the group utilizes tools like Go2Tunnel for remote access and network tunneling, enabling persistent access to compromised systems and the exfiltration of sensitive data. The attackers dynamically deploy modules tailored to the specific profiles of their victims.
There are indications that Armored Likho shares similarities with a threat cluster known as Eagle Werewolf, active since May 2023. Eagle Werewolf has a history of targeting government and defense organizations, particularly those involved in unmanned aerial vehicle (UAV) development and manufacturing. Their methods include the use of droppers, RATs, and SSH tunneling utilities. In February 2026, Eagle Werewolf was observed compromising a drone-focused Telegram channel to distribute AquilaRAT via a Rust-based dropper disguised as a Starlink device activation checklist. They also employed Go2Tunnel to establish reverse SSH tunnels to command-and-control servers.
Recent findings reveal that Armored Likho has deployed a previously unreported Python-based information stealer named BusySnake Stealer, targeting Windows systems. One variant of this stealer includes a module for extracting cookies from web browsers. The exact origins of Armored Likho remain unknown.
The attack chain typically begins with spear-phishing emails that use lures related to official government notices or social programs. These emails distribute RAR archives containing executable binaries that act as droppers for additional payloads retrieved from a GitHub repository, including the BusySnake Stealer. The dropper malware also creates two Visual Basic Script (VBScript) files: one to erase traces of the initial execution and another to launch the stealer via a scheduled task.
In alternative attack chains, the group uses Windows shortcut (LNK) files instead of executable payloads. These shortcuts exploit a now-patched vulnerability in how Windows handles such files, leading to remote code execution. This vulnerability, tracked as CVE-2025-9491 (also known as ZDI-CAN-25373), was addressed by Microsoft in November 2025. Evidence suggests that this flaw had been exploited by multiple hacking groups since 2017.
In the attack sequence documented by Kaspersky, the shortcut vulnerability is exploited to execute an obfuscated PowerShell command that launches a loader. This loader displays a decoy document while preparing the environment for the execution of the Python-based BusySnake Stealer. The malware establishes persistence through a combination of a VBScript file and a scheduled task, similar to previous methods.
The emergence of Armored Likho underscores the evolving landscape of cyber threats, where attackers blend financial motives with espionage activities. Their use of sophisticated tools and techniques highlights the need for organizations to adopt comprehensive cybersecurity measures, including regular software updates, employee training on phishing tactics, and the implementation of advanced threat detection systems.