A newly identified advanced persistent threat group, known as Armored Likho, has been targeting government and critical infrastructure organizations in countries such as Russia, Brazil, and Kazakhstan. This group has deployed a sophisticated malware toolkit designed to steal credentials, sensitive documents, and other valuable data. Researchers from Kaspersky have been tracking the activities of Armored Likho, which include both financially motivated attacks on individuals and cyber-espionage operations against organizations.
The group employs spear-phishing emails disguised as official communications to deliver malicious payloads. These emails contain archive files with harmful executables or disguised Windows shortcut files. Victims are often tricked by decoy documents, such as psychological surveys, which run while additional malware is quietly installed in the background. Kaspersky noted that the attackers have likely used large language models to generate some of their code, indicating a trend towards leveraging AI tools for creating first-stage payloads.
The primary weapon in Armored Likho's arsenal is a Python-based infostealer named BusySnake Stealer. This tool is capable of extracting a wide range of sensitive information, including browser passwords, cryptographic keys, and messaging data. BusySnake can establish reverse SSH tunnels and deploy remote-access software, allowing attackers to maintain persistent access. The malware uses advanced techniques to avoid detection, including code obfuscation with PyArmor Pro, and runs silently to evade reverse engineering.
Armored Likho's attacks highlight a growing trend in the technical sophistication of threat actors, especially those targeting critical infrastructure. The group's diverse malware capabilities allow for customized attacks on each victim, facilitating data exfiltration and long-term system control. While Kaspersky has not linked Armored Likho to any specific nation, the focus on critical infrastructure suggests significant implications for national security. Organizations are advised to use the provided indicators of compromise to detect and block these threats.


