Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Armored Likho: The Sophisticated Threat Actor Targeting Government Agencies and Power Sectors


Armored Likho: A Sophisticated Threat Actor Targeting Government Agencies and Power Sectors

  • Armored Likho is a sophisticated threat actor targeting government agencies and power sectors across Russia, Brazil, and Kazakhstan.
  • The threat actor blends financially motivated campaigns with targeted cyber espionage, using obfuscated, modular Remote Access Trojans (RATs) and infostealers to evade detection.
  • Armored Likho employs a range of tactics, including spear-phishing emails, Windows shortcuts, and artificial intelligence tools, to establish persistent access to compromised hosts and steal credentials and sensitive data.
  • The threat actor uses sophisticated tools, such as BusySnake Stealer, which implements multiple evasion techniques to complicate static analysis and sidestep detection.
  • Armored Likho's attacks demonstrate remarkable technical maturity and adaptability, making it a significant threat to organizations across multiple sectors.



  • The world of cybersecurity is constantly evolving, with new threats emerging every day. Recently, a threat actor known as Armored Likho has made headlines for its sophisticated attacks on government agencies and the power sector across Russia, Brazil, and Kazakhstan. In this article, we will delve into the details of this threat actor and explore the tactics, techniques, and procedures (TTPs) used by Armored Likho to achieve its goals.

    According to a technical analysis published by Kaspersky, Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations. The threat actor's toolkit features obfuscated, modular Remote Access Trojans (RATs) and infostealers specifically engineered to bypass dynamic analysis. This sophistication makes it challenging for security professionals to detect and respond to the threats posed by Armored Likho.

    One of the notable features of Armored Likho's attacks is the use of tools like Go2Tunnel for remote access and network tunneling. The wide variety of tools in its arsenal allows the threat actor to maintain persistent access to compromised hosts, steal credentials and sensitive data, and dynamically deliver modules tailored to the victim's profile. This flexibility enables Armored Likho to adapt its tactics to suit different targets and environments.

    The Russian cybersecurity vendor Kaspersky has noted that Armored Likho shares possible overlaps with a threat cluster tracked by BI.ZONE under the moniker Eagle Werewolf. The hacking group, which has been active since May 2023, has a track record of targeting government and defense organizations, specifically those involved in UAV development and manufacturing, using droppers, remote access Trojans (RATs), and utilities for establishing SSH tunnels.

    In its description of the threat actor, BI.ZONE notes that threat actors may use compromised Telegram channels to distribute malware. While the group's primary motivation is cyber-espionage, campaigns aimed at stealing funds from victims have also been recorded. This highlights the diversity of Armored Likho's goals and tactics, making it an important target for cybersecurity researchers and professionals.

    The latest findings on Armored Likho reveal that the threat actor has employed a previously unreported Python-based information stealer named BusySnake Stealer targeting Windows systems. One version of the stealer includes a module for stealing cookies from web browsers. The exact origins of Armored Likho remain unknown, adding to the complexity and challenge of understanding this threat actor.

    The starting point of the attack chain is often a spear-phishing email that uses lures related to official government notices or social programs to distribute a RAR archive containing EXE binaries that serve as droppers for additional payloads retrieved from a GitHub repository. The dropper malware also creates two Visual Basic Script (VBScript) files that are responsible for erasing traces of the initial execution and launching the stealer by means of a scheduled task.

    Alternate chains utilize Windows shortcuts (LNK) instead of EXE payloads that weaponize a now-patched vulnerability related to how Windows handles such files, resulting in remote code execution. The flaw, tracked as CVE-2025-9491 (aka ZDI-CAN-25373), was addressed by Microsoft as part of its Patch Tuesday updates for November 2025.

    Kaspersky has identified evidence that the first-stage payloads comprising loaders and stagers were likely generated with assistance from artificial intelligence (AI) tools, given the presence of redundant comments and code blocks. This highlights the sophistication and capabilities of Armored Likho's toolkit, making it an important area of study for cybersecurity researchers.

    The threat actor's ties to Eagle Werewolf also stem from overlaps between AquilaRAT and BusySnake Stealer, particularly in the manner both malware families receive tasks from the C2 server, register persistence via scheduled tasks, and utilize similar endpoints for C2 communications. This shared understanding among threat actors emphasizes the need for cybersecurity professionals to stay vigilant and adapt their defenses accordingly.

    The attack chain documented by Kaspersky demonstrates that Armored Likho employs a range of tactics to establish persistent access to compromised hosts, steal credentials and sensitive data, and dynamically deliver modules tailored to the victim's profile. The use of obfuscated, modular RATs and infostealers allows the threat actor to bypass dynamic analysis and evade detection.

    Furthermore, the BusySnake Stealer implements multiple evasion techniques to complicate static analysis and sidestep detection. Its primary goal is to establish communication with a C2 server and then await incoming instructions. It also supports the following functionality:

    * Steal data from the system clipboard
    * Enumerate files across the system and log their metadata in a local database
    * Upload user documents to the C2 server
    * Capture screenshots and stage them in a local directory
    * Archive captured screenshots and remove previously created archives from the disk
    * Prevent multiple instances of the stealer from running concurrently on the infected host
    * Ensure persistence by checking if the scheduled task exists, and if not, drop a VBScript to register a new scheduled task

    The commands issued by the C2 server allow it to take screenshots at a designated interval, log keystroke data, gather cryptocurrency wallet files with a JSON extension, collect Telegram session and credential data, establish a reverse SSH tunnel using Go2Tunnel, install RustDesk, and extract cookies from Mozilla Firefox and Chromium-based browsers, along with passwords.

    If RustDesk is already installed on the machine, the open-source remote desktop software is started, and the victim is prompted to enter their credentials, following which the stealer grabs a screenshot of the credentials and exfiltrates it to the C2 server. This level of sophistication and capability makes Armored Likho a significant threat to organizations across multiple sectors.

    In conclusion, the threat actor Armored Likho has demonstrated remarkable technical maturity and adaptability in its attacks on government agencies and power sectors across Russia, Brazil, and Kazakhstan. Its use of sophisticated tools, evasion techniques, and tailored tactics makes it an important target for cybersecurity researchers and professionals. As the threat landscape continues to evolve, understanding the capabilities and TTPs of Armored Likho is crucial for developing effective countermeasures and staying ahead of emerging threats.

    Armored Likho: A Sophisticated Threat Actor Targeting Government Agencies and Power Sectors



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Armored-Likho-The-Sophisticated-Threat-Actor-Targeting-Government-Agencies-and-Power-Sectors-ehn.shtml

  • https://thehackernews.com/2026/07/armored-likho-targets-government.html


  • Published: Fri Jul 3 09:03:37 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us