hacker-news · Crawled Jul 5, 2026

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

5 IoCs
Read original article ↗

AI Summary

A threat actor known as Armored Likho is conducting cyber espionage and financially motivated attacks against government agencies and the power sector in Russia, Brazil, and Kazakhstan. The group uses a mix of modular RATs, infostealers, and tools like Go2Tunnel for remote access and data exfiltration. A new Python-based infostealer, BusySnake Stealer, has been identified, which steals credentials, cookies, screenshots, and documents while evading detection through obfuscation and dynamic code execution. The attacks begin with spear-phishing emails delivering malicious payloads via RAR archives or weaponized LNK files exploiting CVE-2025-9491.

AI-extracted · verify before operational use

Indicators of Compromise 5 extracted

Type Value Detail
Filename Starlink_activation_checklist.exe Details →
GitHub Repo AquilaRAT Details →
Filename decoy_document.lnk Details →
Filename loader.ps1 Details →
Filename persistence.vbs Details →