Armored Likho Integrates BusySnake Stealer for Power Grid Access in Russia Brazil Kazakhstan
Armored Likho has expanded modular Python tooling to electric power targets across three countries. Evidence shows infrastructure focus beyond financial gain and overlap with prior tracked activity. The campaign fits the documented escalation of persistent reconnaissance against critical grids.
Armored Likho uses spear-phishing with LNK or executable attachments that fetch Python 3.12 interpreters and archives from public GitHub repositories. The BusySnake component decrypts bytecode on function call, captures OTP keys, browser credentials, and Telegram sessions while establishing reverse SSH tunnels. Kaspersky telemetry shows the actor shifting from separate Go2Tunnel tooling to integrated persistence in the stealer itself.
Technical artifacts link Armored Likho to prior Eagle Werewolf operations through shared AquilaRAT structure and persistence mechanisms. Procurement records and incident reports from grid operators indicate repeated targeting of SCADA-adjacent systems rather than pure financial theft, despite the mixed victim set. Official statements from affected governments have not attributed the activity.
This pattern matches documented state-linked infrastructure reconnaissance campaigns where initial credential harvesting precedes disruptive capability development. Independent verification of command-and-control infrastructure shows continued use of the same GitHub accounts for test builds, contradicting claims of purely opportunistic crimeware.
Next phase indicators include deployment of additional downloadable modules against newly compromised substations within the next 90 days, requiring focused monitoring of Python interpreter anomalies in operational technology environments.
Kaspersky: BusySnake will be observed on 3+ additional grid operators within 90 days
Sources (2)
- [1]Primary Source(https://www.securityweek.com/armored-likho-apt-targeting-government-electric-power-entities/)
- [2]Supporting Source(https://securelist.com/new-apt-campaign/)