Executive Summary
In July 2026, a previously undocumented threat actor known as Armored Likho launched cyber attacks targeting government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group employed spear-phishing emails with lures related to official government notices or social programs, distributing RAR archives containing EXE binaries that served as droppers for additional payloads retrieved from a GitHub repository. These payloads included a newly identified Python-based information stealer named BusySnake Stealer, which is capable of stealing browser passwords, cookies, clipboard contents, screenshots, documents, Telegram session data, OTP secrets, and cryptocurrency wallet files. The malware establishes persistence through a combination of VBScript files and scheduled tasks, allowing the attackers to maintain prolonged access to compromised systems.
This incident underscores the evolving tactics of cyber espionage groups, highlighting their ability to blend financially motivated campaigns with targeted attacks on critical infrastructure. The use of AI-generated first-stage loaders and obfuscated, modular remote access trojans (RATs) and infostealers specifically engineered to bypass dynamic analysis demonstrates a significant advancement in their capabilities. Organizations must remain vigilant and adapt their cybersecurity measures to counter these sophisticated threats.
Why This Matters Now
The emergence of Armored Likho and their use of advanced tools like BusySnake Stealer highlight the increasing sophistication of cyber threats targeting critical infrastructure. Organizations must enhance their cybersecurity posture to defend against these evolving tactics.
Attack Path Analysis
Armored Likho initiated attacks via spear-phishing emails containing malicious RAR archives, leading to the execution of droppers that deployed additional payloads. The attackers exploited a Windows shortcut vulnerability (CVE-2025-9491) to execute obfuscated PowerShell commands, facilitating the deployment of the BusySnake Stealer. Utilizing tools like Go2Tunnel, they established reverse SSH tunnels for command and control. The BusySnake Stealer collected sensitive data, including browser cookies, from compromised systems. The exfiltrated data was transmitted over encrypted channels to attacker-controlled servers. The attacks resulted in unauthorized access to sensitive information, posing significant risks to the targeted organizations.
Kill Chain Progression
Initial Compromise
Description
Armored Likho initiated attacks via spear-phishing emails containing malicious RAR archives, leading to the execution of droppers that deployed additional payloads.
Related CVEs
CVE-2025-9491
CVSS 7.8A vulnerability in Windows shortcut (LNK) handling allows remote code execution when a user opens a specially crafted shortcut file.
Affected Products:
Microsoft Windows – All versions prior to November 2025 patch
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Automated Collection
Browser Information Discovery
Steal Web Session Cookie
Data from Local System
Masquerading
Automated Exfiltration
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Storage of Cardholder Data
Control ID: 3.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 2.1
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct targeting by Armored Likho's BusySnake stealer poses critical data exfiltration risks to government agencies, requiring enhanced egress security and zero trust segmentation.
Oil/Energy/Solar/Greentech
Electric power sector faces sophisticated data theft campaigns targeting critical infrastructure, necessitating encrypted traffic protection and advanced threat detection capabilities for operational security.
Utilities
Power utility operations vulnerable to financially motivated cyber espionage requiring comprehensive visibility controls, east-west traffic security, and anomaly detection for grid protection.
Computer/Network Security
Security sector must enhance threat intelligence and defensive capabilities against novel stealer malware, implementing cloud native security fabric and intrusion prevention systems.
Sources
- Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealerhttps://thehackernews.com/2026/07/armored-likho-targets-government.htmlVerified
- Armored Likho’s new weapon: BusySnake Stealerhttps://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/Verified
- Keep your finger on Pulse. Mythic Likho cyberattacks against Russia's critical information infrastructurehttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/mythic-likho-cyberattacks-on-russian-critical-information-infrastructure/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is relevant to this incident as it could likely reduce the attacker's ability to move laterally, establish command and control channels, and exfiltrate sensitive data, thereby limiting the overall impact of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute droppers from malicious RAR archives may have been constrained, reducing the likelihood of successful initial payload deployment.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges through the exploitation of vulnerabilities may have been constrained, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network using reverse SSH tunnels may have been constrained, reducing the reachability of internal systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent command and control channels may have been constrained, reducing the duration and effectiveness of remote access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing the volume of data transmitted to external servers.
The overall impact of unauthorized access to sensitive information may have been constrained, reducing the potential damage to the organization.
Impact at a Glance
Affected Business Functions
- Government Communications
- Power Grid Operations
- Public Service Administration
Estimated downtime: 7 days
Estimated loss: $5,000,000
Sensitive government documents, operational data of power grids, and personal information of citizens.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust email filtering and user training to mitigate spear-phishing risks.
- • Apply patches promptly to address known vulnerabilities like CVE-2025-9491.
- • Deploy network segmentation to limit lateral movement opportunities.
- • Utilize endpoint detection and response tools to identify and block unauthorized data collection.
- • Establish comprehensive monitoring to detect and respond to unauthorized data exfiltration.



