BusySnake campaign widens cyber risk

A newly identified cyber-espionage group has targeted government agencies and electricity-sector organisations in Russia, Brazil and Kazakhstan, using phishing emails to deploy a Windows information stealer designed to extract credentials, documents and browser data.

The group, named Armored Likho and provisionally linked to a cluster known as Eagle Werewolf, has emerged as a notable threat because its operations combine espionage against institutions with financially motivated attacks against individuals. Its latest malware, BusySnake Stealer, shows a shift from simpler remote-access tooling towards a modular platform that can maintain persistence, receive instructions from command-and-control servers and adapt its activity to the infected host.

The campaign relies on spear-phishing emails built around official-looking notices, public-service themes and social-programme lures. Victims receive compressed archive files carrying malicious executables or Windows shortcut files. Once opened, the attachments trigger a multi-stage infection chain that hides behind decoy content while preparing the system for credential theft and remote control.

ADVERTISEMENT

One observed route uses a self-extracting executable built with the Nullsoft Scriptable Install System. The file presents a fake psychological survey to lower suspicion, while the malware writes a legitimate-looking executable to a temporary directory and injects malicious code into its memory. The loader then retrieves additional archives from repositories hosted on GitHub, a method that allows rapid infrastructure rotation and makes blocking more difficult.

Another infection route uses LNK shortcut files to execute obfuscated commands through rundll32. exe and PowerShell. This chain abuses a Windows shortcut-handling weakness tracked as CVE-2025-9491, also known as ZDI-CAN-25373, which Microsoft patched in November 2025. The flaw had been used by several hacking groups before it was formally fixed, highlighting how long-lived exploitation techniques can remain useful in targeted intrusions when patching is uneven.

BusySnake is written in Python and packaged to run on Windows systems without drawing obvious attention. It communicates with a command server, awaits tasking, and uses multiple evasion techniques, including bytecode decryption only when a function is called. That approach complicates static analysis and reduces the likelihood that defenders will immediately see the full purpose of the code.

The malware’s capabilities include stealing clipboard data, listing files and recording metadata in a local database, uploading user documents, taking screenshots, archiving captured images and checking whether another instance is already running. It can also gather browser passwords and cookies from Firefox and Chromium-based browsers, collect Telegram session data, search for cryptocurrency wallet files, log keystrokes and support reverse SSH tunnelling.

Persistence is achieved through Visual Basic Script files and scheduled tasks that mimic legitimate Windows activity. The task name WindowsHelper is used to restart the malware at regular intervals, in some cases every five minutes. Earlier tools linked to the same activity used similar persistence logic, including scheduled tasks masquerading as Microsoft Office updates.

ADVERTISEMENT

The campaign also shows a tactical move toward embedding functions that had previously appeared as standalone utilities. Go2Tunnel, a tool used to create reverse SSH tunnels, appears to have influenced or been folded into BusySnake’s built-in tunnelling functions. This reduces the number of separate components attackers need to deploy and may help them keep long-term access to compromised environments.

Armored Likho’s overlap with Eagle Werewolf is based on infrastructure, tooling and operational similarities rather than definitive attribution. Eagle Werewolf has been tracked since 2023 and has targeted government and defence organisations, including entities connected with unmanned aerial vehicle development and production. Earlier activity involved the use of AquilaRAT, Rust-based droppers and compromised Telegram channels to distribute malware.

The group’s dual focus makes it harder to classify as purely criminal or state-aligned. Its campaigns against private individuals indicate an interest in theft and monetisation, while its targeting of government bodies and power-sector organisations points to intelligence collection and potential operational mapping of critical infrastructure.

The power sector remains a high-value target because stolen credentials, internal documents and remote-access footholds can support follow-on operations. Even when an intrusion begins as data theft, access to energy networks can provide intelligence on maintenance cycles, vendors, authentication practices and operational dependencies. Such information may later be used for disruption, extortion or broader espionage.

The use of GitHub-hosted payloads, obfuscated PowerShell, shortcut-file abuse and open-source remote-access utilities reflects a broader trend in targeted cyber operations. Attackers increasingly mix custom malware with legitimate platforms and common administration tools, making malicious activity harder to separate from normal network behaviour.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com