
Armored Likho deploys BusySnake via CVE-2025-9491 LNK chains against Russian, Brazilian, Kazakh power grids
Armored Likho conducted targeted espionage against power and government networks using BusySnake and Go2Tunnel, with documented overlaps to Eagle Werewolf operations. The campaign blended financial and intelligence objectives while exploiting a now-patched LNK vulnerability. Independent confirmation of state attribution is absent despite infrastructure targeting.
Spear-phishing emails carrying RAR archives or patched LNK shortcuts initiated the chain, dropping VBScripts for persistence via scheduled tasks and retrieving BusySnake from GitHub. The stealer enumerates files, captures clipboard data, extracts browser cookies, and beacons to C2 while using obfuscation to evade dynamic analysis. Go2Tunnel provided reverse SSH tunnels for access. Kaspersky documented modular RATs and infostealers that switch between financial theft and espionage modules based on victim profile. Evidence shows overlap with BI.ZONE-tracked Eagle Werewolf, active since May 2023, including Telegram channel compromise for AquilaRAT distribution and identical tunneling utilities. Trend Micro reporting on CVE-2025-9491 confirms exploitation by multiple actors since 2017, indicating shared tooling rather than isolated development. The actor's dual focus on private credential theft and defense-adjacent targets creates attribution friction. Power sector hits align with documented patterns of infrastructure reconnaissance using low-attribution droppers. No independent technical attribution to a state exists; Kaspersky notes only possible cluster linkage. Expansion of BusySnake variants into additional critical sectors remains probable given the GitHub-based payload delivery and scheduled-task persistence.
BI.ZONE: Two additional power-sector compromises using BusySnake droppers confirmed in Kazakhstan by October 2026
Sources (3)
- [1]Kaspersky Armored Likho Analysis(https://kaspersky.com/armored-likho-busySnake)
- [2]BI.ZONE Eagle Werewolf Report(https://bizone.ru/eagle-werewolf-telegram)
- [3]Trend Micro LNK Vulnerability Exploitation(https://trendmicro.com/cve-2025-9491)