Threat Advisory

Restrict PowerShell execution policies to prevent malicious scripts

Threat: Malware
Threat Actor Name: Armored Likho
Threat Actor Type: APT
Targeted Region: Russia, Brazil, Kazakhstan
Targeted Sector: Technology & IT, Government & Defense, Energy & Utilities
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

Armored Likho, an emerging APT group, is conducting a multi‐stage espionage campaign that blends financial theft with strategic data collection. The threat primarily targets government ministries and electric‐utility operators in Russia, Brazil, and Kazakhstan, though ancillary phishing attempts reach private individuals worldwide. Attackers aim to harvest credentials, browser cookies, and proprietary documents, enabling both intelligence gathering and opportunistic extortion. By disguising malicious payloads as official correspondence, the group seeks to bypass user awareness and maintain long‐term footholds within high‐value networks.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

Armored Likho, an emerging APT group, is conducting a multi‐stage espionage campaign that blends financial theft with strategic data collection. The threat primarily targets government ministries and electric‐utility operators in Russia, Brazil, and Kazakhstan, though ancillary phishing attempts reach private individuals worldwide. Attackers aim to harvest credentials, browser cookies, and proprietary documents, enabling both intelligence gathering and opportunistic extortion. By disguising malicious payloads as official correspondence, the group seeks to bypass user awareness and maintain long‐term footholds within high‐value networks.[emaillocker id="1283"]

The initial intrusion relies on spear‐phishing emails that carry either a compressed archive with an executable dropper or a shortcut file pointing to a PowerShell downloader. Once the user runs the attachment, a lightweight loader retrieves a Python runtime, installs required libraries, and launches the BusySnake stealer. The stealer establishes persistence through a scheduled task and a self‐deleting script, then begins enumerating files, extracting browser credentials, and capturing clipboard data. Communication with the command‐and‐control server occurs over encrypted web channels, allowing the actors to issue further instructions and exfiltrate collected information.

The campaign poses a serious risk to executives because compromised credentials can grant unfettered access to critical infrastructure and confidential policy data. Its use of common file types and legitimate web traffic makes detection difficult for signature‐based tools, while the encrypted communication hinders network‐level analysis. Organizations should enforce strict email filtering, apply timely patches to scripting runtimes, and monitor for anomalous scheduled tasks or outbound connections. Maintaining isolated, regularly tested backups and deploying layered endpoint protection further reduces the chance of prolonged exposure and data loss.

THREAT PROFILE:

Tactic Technique ID Technique Sub-technique
Initial Access T1566.001 Phishing Spearphishing Attachment
Execution T1059.001 Command and Scripting Interpreter PowerShell
Persistence T1053.005 Scheduled Task/Job Scheduled Task
Privilege Escalation T1055 Process Injection
Defense Evasion T1027.005 Obfuscated Files or Information Indicator Removal from Tools
Credential Access T1555.003 Credentials from Password Stores Credentials from Web Browsers
Discovery T1083 File and Directory Discovery
Collection T1113 Screen Capture
Command and Control T1071.001 Application Layer Protocol Web Protocols
Lateral Movement T1021.004 Remote Services SSH

 

REFERENCES:

reports contain further technical details:
https://thehackernews.com/2026/07/armored-likho-targets-government.html
https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/

[/emaillocker]
crossmenu