Securelist
Armored Likho APT Targets Power Grids with BusySnake Stealer Malware
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A newly identified APT group, Armored Likho, is conducting a phishing campaign targeting government agencies and electric power sectors in Russia, Brazil, and Kazakhstan. The group employs a sophisticated infostealer known as BusySnake Stealer, which is difficult to detect and recover from. Attack vectors include spear-phishing emails with malicious attachments disguised as legitimate documents. The campaign exploits CVE-2025-9491, urging immediate patching and auditing of scheduled tasks. Armored Likho operates dual tracks of cyber-espionage and financially motivated credential theft, affecting both critical infrastructure and private individuals. The group has been linked to previous activities under the alias Eagle Werewolf, with notable advancements in their malware toolkit. The campaign remains active and poses a significant threat to the targeted sectors.
Key Points: • Armored Likho targets government and electric power sectors in Russia, Brazil, and Kazakhstan. • The group uses BusySnake Stealer, a sophisticated infostealer, making detection difficult. • Immediate action is required to patch CVE-2025-9491 and audit scheduled tasks.