Armored Likho APT Targets Power Grids with BusySnake Stealer Malware

Armored Likho APT Targets Power Grids with BusySnake Stealer Malware

First seen 4 Jul 2026, 15:24 UTC SecurelistGbhackersTechtimes 77% similarity 78.0

Article Content

Browse articles
ThreatCluster

A newly identified APT group, Armored Likho, is conducting a phishing campaign targeting government agencies and electric power sectors in Russia, Brazil, and Kazakhstan. The group employs a sophisticated infostealer known as BusySnake Stealer, which is difficult to detect and recover from. Attack vectors include spear-phishing emails with malicious attachments disguised as legitimate documents. The campaign exploits CVE-2025-9491, urging immediate patching and auditing of scheduled tasks. Armored Likho operates dual tracks of cyber-espionage and financially motivated credential theft, affecting both critical infrastructure and private individuals. The group has been linked to previous activities under the alias Eagle Werewolf, with notable advancements in their malware toolkit. The campaign remains active and poses a significant threat to the targeted sectors.

Key Points: • Armored Likho targets government and electric power sectors in Russia, Brazil, and Kazakhstan. • The group uses BusySnake Stealer, a sophisticated infostealer, making detection difficult. • Immediate action is required to patch CVE-2025-9491 and audit scheduled tasks.

ThreatCluster AI

Timeline

2025-08-26
CVE-2025-9491 published
A critical vulnerability affecting systems used by government and utility sectors was disclosed.
Securelist
2026-07-03
Armored Likho campaign uncovered
Kaspersky revealed the ongoing phishing campaign by Armored Likho targeting critical infrastructure.
Securelist
2026-07-04
Kaspersky publicly names Armored Likho
Kaspersky confirmed the attribution of the cyber-espionage campaign to Armored Likho, detailing their tactics and tools.
Techtimes

Community

Browse all →