-
Researchers identified a new Python-based malware called BusySnake Stealer in attacks targeting government agencies and energy organizations.
-
Armored Likho allegedly uses AI-generated malware loaders, stealth techniques, and modular tools to maintain long-term network access.
-
The malware steals passwords, browser cookies, cryptocurrency wallets, Telegram sessions, and other sensitive data from infected Windows systems.
Security researchers have uncovered a previously unknown information-stealing malware called BusySnake Stealer. The malware powers fresh cyber campaigns linked to the suspected advanced persistent threat (APT) group Armored Likho. The attackers have targeted government organizations and electrical power companies across Russia, Kazakhstan, and Brazil.
Researchers detailed the findings in a new threat intelligence report. They linked the malware to Armored Likho, which some researchers also associate with Eagle Werewolf through circumstantial evidence. The report also reveals the group’s growing reliance on artificial intelligence, modular malware, and advanced evasion methods.
According to the researchers, the campaign remains active. The attackers combine financially motivated operations against individuals with cyber-espionage campaigns targeting organizations.
Their toolkit includes remote access trojans, credential stealers, reverse SSH tunneling utilities, and malware designed to avoid security analysis while maintaining persistent access.
Spear-Phishing Campaign Delivers New Python Malware
The attackers begin each campaign with carefully crafted spear-phishing emails. They disguise the messages as government notices, humanitarian aid requests, or psychological assessment documents. Victims receive ZIP or RAR archives containing executable files or malicious LNK shortcuts.
Researchers identified two different infection chains. Both methods eventually install BusySnake Stealer, a Python-based information stealer that researchers had not previously documented publicly. The malware downloads a Python interpreter, installs required packages, creates scheduled tasks for persistence, and launches its payload from a concealed directory.
Researchers also discovered signs that the attackers used large language models to develop the first-stage malware loaders. They pointed to unusual coding practices that rarely appear in traditional malware development.
According to the report, the loader contains extensive comments and even bullet-point emojis throughout its source code. The researchers explained that this style differs sharply from malware written manually. They added that the evidence strongly suggests the threat group relied on large language models to generate those malicious components.
BusySnake Collects Credentials and Expands Attacker Access
BusySnake Stealer gathers a wide range of sensitive information after infecting Windows devices. Researchers found that it steals clipboard data, browser passwords, authentication cookies, screenshots, local files, cryptocurrency wallet data, Telegram session information, and one-time password secrets used for two-factor authentication.
The scale of credential theft is evident in recent stealer log leaks, one alleged leak claimed data from Apple, Google, and dozens of global firms.
The malware also communicates continuously with attacker-controlled command-and-control servers. That connection allows operators to deploy additional malware modules, steal browser credentials, establish reverse SSH tunnels, and remotely control infected machines through legitimate software, including RustDesk.
Researchers observed that newer BusySnake variants include stronger stealth capabilities. The malware now relies on Windows COM objects instead of traditional scheduled task commands. It also executes arbitrary Python scripts directly in memory without writing files to disk. Those changes make detection significantly more difficult.
Researchers Link Campaign to Armored Likho
Researchers attributed the operation to Armored Likho with medium confidence. They based their assessment on similarities between BusySnake Stealer and the group’s previously documented Go2Tunnel reverse tunneling utility and AquilaRAT malware family.
The investigation uncovered matching command-and-control communications, persistence techniques, and architectural designs across the malware families. Those shared characteristics strengthened the researchers’ attribution.
The confirmed victims span Russia, Kazakhstan, and Brazil. Government institutions and organizations operating in the electrical power sector remain the group’s primary targets.
Researchers warned that Armored Likho continues refining its malware arsenal. The group increasingly combines AI-assisted development with sophisticated evasion methods to bypass security tools and preserve long-term access to compromised networks. They expect the threat actor to continue evolving its capabilities as defenders improve their detection techniques.