EXECUTIVE SUMMARY
Armored Likho, an emerging APT group, is conducting a multi‐stage espionage campaign that blends financial theft with strategic data collection. The threat primarily targets government ministries and electric‐utility operators in Russia, Brazil, and Kazakhstan, though ancillary phishing attempts reach private individuals worldwide. Attackers aim to harvest credentials, browser cookies, and proprietary documents, enabling both intelligence gathering and opportunistic extortion. By disguising malicious payloads as official correspondence, the group seeks to bypass user awareness and maintain long‐term footholds within high‐value networks.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Armored Likho, an emerging APT group, is conducting a multi‐stage espionage campaign that blends financial theft with strategic data collection. The threat primarily targets government ministries and electric‐utility operators in Russia, Brazil, and Kazakhstan, though ancillary phishing attempts reach private individuals worldwide. Attackers aim to harvest credentials, browser cookies, and proprietary documents, enabling both intelligence gathering and opportunistic extortion. By disguising malicious payloads as official correspondence, the group seeks to bypass user awareness and maintain long‐term footholds within high‐value networks.[emaillocker id="1283"]
The initial intrusion relies on spear‐phishing emails that carry either a compressed archive with an executable dropper or a shortcut file pointing to a PowerShell downloader. Once the user runs the attachment, a lightweight loader retrieves a Python runtime, installs required libraries, and launches the BusySnake stealer. The stealer establishes persistence through a scheduled task and a self‐deleting script, then begins enumerating files, extracting browser credentials, and capturing clipboard data. Communication with the command‐and‐control server occurs over encrypted web channels, allowing the actors to issue further instructions and exfiltrate collected information.
The campaign poses a serious risk to executives because compromised credentials can grant unfettered access to critical infrastructure and confidential policy data. Its use of common file types and legitimate web traffic makes detection difficult for signature‐based tools, while the encrypted communication hinders network‐level analysis. Organizations should enforce strict email filtering, apply timely patches to scripting runtimes, and monitor for anomalous scheduled tasks or outbound connections. Maintaining isolated, regularly tested backups and deploying layered endpoint protection further reduces the chance of prolonged exposure and data loss.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Privilege Escalation | T1055 | Process Injection | — |
| Defense Evasion | T1027.005 | Obfuscated Files or Information | Indicator Removal from Tools |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1083 | File and Directory Discovery | — |
| Collection | T1113 | Screen Capture | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Lateral Movement | T1021.004 | Remote Services | SSH |
REFERENCES:
reports contain further technical details:
https://thehackernews.com/2026/07/armored-likho-targets-government.html
https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/