Armored Likho APT Uses AI-Generated Loaders to Deploy BusySnake Stealer Against Government Targets

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Armored Likho has launched a phishing campaign that uses AI-generated loaders to deploy the newly identified BusySnake Stealer.

The operation has targeted government agencies and electrical power organizations, putting sensitive public-sector data and essential services at risk.

Confirmed victims span Russia, Brazil, and Kazakhstan, showing the campaign’s reach extends across several regions.

The attackers rely on spear-phishing emails that imitate official government notices, humanitarian aid requests, and social programs. These emails carry archive attachments containing malicious executables or Windows shortcut files.

Once opened, the attachments begin a staged infection chain while presenting decoy content intended to keep the victim from noticing the compromise.

Securelist said in a report shared with Cyber Security News (CSN). Analysts noted that Armored Likho, also known as Eagle Werewolf based on circumstantial evidence, combines financially motivated activity with cyber-espionage operations aimed at organizations.

The group has continued refining its tools to make analysis and detection harder.

Payload repository example (Source – Securelist)

The campaign matters because BusySnake can steal browser credentials, cookies, clipboard data, local documents, screenshots, cryptocurrency-related data, and Telegram session files.

It can also accept commands from its operators, creating a serious risk of long-term surveillance and data theft after an initial phishing email succeeds.

Armored Likho APT Uses AI-Generated Loaders

In one infection path, a victim opens an archive containing a file disguised as a psychological test. The executable launches a fake survey, then injects malicious code into another process and retrieves additional payloads from online repositories.

The downloaded files are unpacked into the user’s AppData directory, where the attack continues quietly.

Persistence script (Source – Securelist)

A second path uses a malicious LNK shortcut that hides its command-line activity through spaces and line breaks.

The shortcut launches an obfuscated command and PowerShell process to download a loader, Python components, and the BusySnake payload. A decoy document may open during this step, making the activity appear legitimate to the user.

Researchers found unusually verbose comments and bullet-point emojis in the loaders’ source code, features that are uncommon in malware written entirely by human developers.

This suggests the actors used large language models to generate first-stage tools, helping them vary their delivery code and make attribution more difficult.

BusySnake is protected with code obfuscation and encryption that only decrypts functions when needed. It runs without opening a visible console window and uses scheduled tasks to remain active.

In newer samples, the malware creates scheduled tasks through Windows component interfaces instead of directly calling standard task commands, a change intended to reduce detection.

Data Theft and Defensive Focus

After execution, BusySnake inventories files, watches the clipboard, searches for long hexadecimal keys, and collects documents from Desktop, Documents, and Downloads folders.

Decoy documents (Source – Securelist)

It skips some system files and large files, likely to limit noise and speed up collection. Stolen data is sent to the attackers’ command-and-control infrastructure.

The stealer can also decrypt saved passwords from Chromium-based browsers and Firefox profiles, extract browser cookies, capture screenshots, and monitor for one-time password secrets.

Its remote-control features include reverse SSH tunneling, which can give operators a route back into a compromised system even after the initial theft activity.

Organizations should treat unexpected archives, executable attachments, and LNK files as high-risk, particularly when they use government or humanitarian themes.

Security teams should monitor for suspicious PowerShell execution, rundll32 activity, new scheduled tasks, and unusual downloads of Python components. Users should verify unexpected requests through a separate trusted channel before opening attachments.

Indicators of compromise (IoCs):-

Type Indicator Description
SHA-256 25D5C3E483C5E544260CE98FC29FBF1927141917CBA2EEE2B4D31107FACCF3A39 Reported malicious first-stage artifact 
SHA-256 F5C6434EE5F7578FAA3BC1257E1C9226C019797A00FD56EDB1F468AC0A598510 Reported malicious first-stage artifact 
SHA-256 0EC7A8E61EFF3F445A7455B3AEF9FBBF5C6434EE5F7578FAA3BC1257E1C9226 Reported malicious first-stage artifact 
SHA-256 7DB9C688C620E54E8C69B7E52A7579FB90378881856ABFA47D7745C0A3EF9DC8 Reported malicious first-stage artifact 
SHA-256 1DBA3E505491A260A44C867902C3296E1096268FA2B3D454C86CF851CB782319 Reported malicious first-stage artifact 
SHA-256 F2AB09D7E7A375A192508A5014AA2EE40041FD1B2358CD08DBCBC28EA8FC3D20 Reported malicious first-stage artifact 
SHA-256 894332174F536C2E1EFEDA05CBA79F8B78135F72AB148A0CC074F6B2DD51FFF6 Reported malicious first-stage artifact 
SHA-256 07213C419489C02791E8D67B91E404EF393B498F2114CABC0B29D5FCD9DC6723 Reported malicious first-stage artifact 
SHA-256 CF74AC018D158EA2C2CFA1B1D71D95BC2DFA1D949872C1B2F04952DD3E5F5D8F Reported malicious first-stage artifact 
SHA-256 C7622A1EFFA27BBFEE6D6E03D647434380B7700053E115D65365CE7330383320 Reported malicious first-stage artifact 
SHA-256 6B45DDB39A6E86229348DCBBA3857E7C006887732CA4A4A46A97989CF4DEEEF6 Reported malicious first-stage artifact 
SHA-256 73C31ACF971A81C7E51B2A3DAE82020DDFF82A115558584BBD7741D4FFB35B48 Reported malicious first-stage artifact 
SHA-256 188B2F347B77D65D08CFB23808AC244E2550CFAD9DCC880BF04F6048F90868C Reported malicious first-stage artifact 
SHA-256 FD2BDD8047ADDEE6FDE2F532DE181BFD Reported malicious artifact hash as listed in source material 
Domain winupdate.live Reported command-and-control infrastructure 
Domain arvax.xyz Reported command-and-control infrastructure 
Domain varenie.live Reported command-and-control infrastructure 
Domain lvl99.store Reported command-and-control infrastructure 
Domain onetoken.ink Reported command-and-control infrastructure 
Domain winupdate.ink Reported command-and-control infrastructure 
Domain grked.online Reported command-and-control and tunneling infrastructure 
Domain ndrt.ink Reported command-and-control infrastructure 
Domain myboard.chickenkiller.com Reported command-and-control infrastructure 
Domain myboard.twilightparadox.com Reported command-and-control infrastructure 
IP address 159.198.41.140 Reported command-and-control server 
IP address 159.198.75.219 Reported command-and-control infrastructure 
IP address 159.198.32.222 Reported reverse SSH tunnel infrastructure 
IP address 69.67.173.153 Reported command-and-control infrastructure 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.