A previously unknown advanced persistent threat group, dubbed Armored Likho, is employing AI-generated malware, sophisticated phishing techniques, and the BusySnake Stealer to target government agencies and electric power organizations across Russia, Kazakhstan, and Brazil, Kaspersky reports. This dual-pronged approach, targeting both private individuals for financial gain and critical infrastructure for espionage, is an unusual strategy for cyber threat actors, according to a recent report by Security Affairs.Armored Likho utilizes a modular and evolving toolkit that includes obfuscated remote access trojans (RATs), the Python-based BusySnake Stealer, and Go2Tunnel for network tunneling. The attack chain commences with spear-phishing emails containing lures ranging from official government notices to humanitarian aid applications. These emails deliver either self-extracting archives that deploy a loader into legitimate processes or LNK shortcut files exploiting a known vulnerability to execute PowerShell scripts. Both infection vectors ultimately lead to the deployment of BusySnake Stealer, which is designed to exfiltrate credentials, cryptocurrency keys, API secrets, and sensitive documents. The stealer also harvests Telegram session data and RustDesk credentials, and establishes reverse SSH tunnels for operator access.The use of AI in generating initial payloads allows the group to rapidly vary their tactics, techniques, and procedures (TTPs), complicating attribution and making each campaign appear structurally distinct. Kaspersky attributes this campaign to Armored Likho with medium confidence due to structural overlaps with previous malware families used by the group, such as AquilaRAT. The campaign remains active, with confirmed victims in Russia, Kazakhstan, and Brazil, focusing on government and electric power infrastructure.Source: Security Affairs



