Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
NSA Warns of Russian Hacking Exploiting Cisco Smart Install Vulnerability
July 13, 2026
Active Directory Accounts Enumerated via PowerShell Script
July 13, 2026
Debian 13 Trixie Released With Security Updates
July 13, 2026
Home/CyberSecurity News/Armored Likho APT deploys BusySnake stealer with AI-generated loaders
CyberSecurity News

Armored Likho APT deploys BusySnake stealer with AI-generated loaders

Key Takeaways The Armored Likho APT group is actively deploying the new BusySnake stealer via spear-phishing campaigns. The attacks primarily target government entities and critical electrical power...

Marcus Rodriguez
Marcus Rodriguez
July 13, 2026 3 Min Read
5 0

Key Takeaways

  • The Armored Likho APT group is actively deploying the new BusySnake stealer via spear-phishing campaigns.
  • The attacks primarily target government entities and critical electrical power organizations in Russia, Brazil, and Kazakhstan.
  • A notable characteristic of this campaign is the use of AI-generated loaders, which introduce novel obfuscation techniques and hinder attribution.
  • BusySnake is a potent information stealer capable of exfiltrating sensitive data, including browser credentials, cookies, local documents, cryptocurrency data, and Telegram session files.
  • The stealer also establishes persistent access and remote control capabilities, posing a significant long-term threat.

Armored Likho APT Leverages AI-Generated Loaders in BusySnake Stealer Campaign

The advanced persistent threat (APT) group known as Armored Likho has initiated a sophisticated phishing campaign utilizing artificial intelligence-generated loaders to distribute a newly identified malware, the BusySnake Stealer. This operation specifically targets government agencies and critical electrical power infrastructure, raising concerns about the compromise of sensitive public sector data and essential services.

Table Of Content

  • Key Takeaways
  • Armored Likho APT Leverages AI-Generated Loaders in BusySnake Stealer Campaign
  • Infection Vector and AI-Generated Loaders
  • BusySnake Stealer Capabilities
  • Data Exfiltration and Remote Control

Confirmed victims of this widespread campaign have been identified across Russia, Brazil, and Kazakhstan, underscoring the broad geographical reach of Armored Likho’s activities. Securelist said in a report that the group, also referred to as Eagle Werewolf due to overlapping circumstantial evidence, demonstrates a dual motivation, engaging in both financially driven cybercrime and state-sponsored cyber-espionage operations.

Researchers note that Armored Likho consistently refines its malicious toolkit to evade detection and complicate analysis efforts.

Infection Vector and AI-Generated Loaders

The attack chain commences with spear-phishing emails designed to mimic legitimate communications, such as official government announcements, humanitarian aid requests, or social program notifications. These deceptive emails contain archive attachments that, when opened, unleash malicious executables or Windows shortcut files.

Upon execution, the attachments initiate a multi-stage infection process. Simultaneously, decoy content is displayed to the victim, creating a facade of legitimate activity to mask the underlying compromise. In one observed infection path, an archive file masquerading as a psychological test launches a fake survey. This executable then injects malicious code into another process and fetches additional payloads from remote repositories. These downloaded files are subsequently unpacked into the user’s AppData directory, where the attack progresses stealthily.

A second infection method utilizes a malicious LNK shortcut file that employs spaces and line breaks to obscure its command-line operations. This shortcut initiates an obfuscated command and a PowerShell process to download a loader, necessary Python components, and the BusySnake payload. During this phase, a decoy document may appear, further convincing the user of legitimate activity. According to the report, the initial loaders exhibit unusual characteristics, including highly verbose comments and bullet-point emojis within their source code. These traits are atypical of malware solely developed by human programmers, suggesting that the threat actors leveraged large language models (LLMs) to generate these first-stage tools. This approach likely aids them in diversifying their delivery mechanisms and complicating efforts to attribute the attacks.

BusySnake Stealer Capabilities

BusySnake is a formidable information stealer, equipped with code obfuscation and encryption, only decrypting its functions on demand. It operates silently in the background, without opening a visible console window, and establishes persistence through scheduled tasks. Newer versions of the malware employ Windows component interfaces to create scheduled tasks, rather than direct calls to standard task commands, a tactic designed to further reduce detectability.

Data Exfiltration and Remote Control

Upon successful execution, BusySnake systematically inventories files, monitors clipboard data, searches for long hexadecimal keys (likely cryptocurrency wallet addresses), and collects documents from common user directories such as Desktop, Documents, and Downloads. To minimize network noise and expedite data collection, the malware intelligently bypasses certain system files and large files. The stolen data is then exfiltrated to the attackers’ command-and-control (C2) infrastructure.

Beyond basic data theft, BusySnake possesses advanced capabilities. It can decrypt saved passwords from Chromium-based browsers and Firefox profiles, extract browser cookies, capture screenshots, and monitor for one-time password (OTP) secrets. Its remote-control functionalities are particularly concerning, including reverse SSH tunneling, which provides the attackers with a persistent pathway back into compromised systems, even after the initial data exfiltration has occurred. <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/a7828df3-6948-41e6-98da-3e8fec58a7d3/Armored-Likho-APT-Uses-AI-Generated-Loaders-to-Deploy-BusySnake-Stealer-Against-Government-Targets.pdf?AWSAccessKeyId=ASIA2F3EMEYEVEMAHDF7&Signature=ywVve1DjPFmLWvAm2u6yY%2F5peX4%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEDEaCXVzLWVhc3QtMSJHMEUCIQC6sI6KmVkFbJF3g23Gv9Sl27kKBEv4gd%2FM7oX6byMhcQIgY34hbSCXmfexwIgY34hbSCXmfexwADM1PwC8lZcAn8xzWn8ZiFadFJHxh4q%2FAQI%2Bv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDO7NEQXE1loZxt3roirQBGvAHi%2Bzn%2Bo0CgJE1EgT9APUmZnZiYONk3BFrv0xbfqq6kKeSuvgzDNybQoQ6%2FOidvS8otr2SVN42BiXU85zmN69Lli5Q0fZXIQIcpJg13SCu8abUb0N7jCYnlqBJwkgjRaUPvjxz2OX%2FUVKI24GlsDTajeriGihdTWNl2G0fbcw7gyygNKmvdVmRfmvfju9I43Jmvnv3PioB1uEQi5CNa5QntbHuPBOXMd5vmLts80DP%2FLmjRrHd9WuwxUgYa3tgPCZFFqutzfhhOu07zSCTDA2UWpSJxgon3ncl58q2LICNIPy9thVlmjKVBtOvxa3BFADKP1gVfTilesoBjC%2BgHXaxpP%2FY4rHmytF2eH3n9SwMrV0ls2MA3oD62MQa267yaQKbb3jdZ5wP8V%2B3WMPhQ%2FT6iOcm8sxnXB2kKA6y7d7lkFk4vk7SOGjJ3dNEKucKOGFRaMIKQsijhMGbdVabjYXBivm3sEcpLhbkcCQ9kAZ2ani5nrnnSuJoyZiNbyCntkuZKT2SZsFXzcTQ4vnlyprb%2F91UQ6yM8%2FOsLxiLrJUP56xhNwZpAtn9CfyFW4%2

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

VEXAIoT Multi-Agent System Automates IoT Reconnaissance and Exploit Execution

Next Post

Critical WordPress Plugin Bug Lets Attackers Control Websites

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Worm Could Regenerate Exploits, Adapt to Defenses in Real Time
July 13, 2026
Critical WordPress Plugin Bug Lets Attackers Control Websites
July 13, 2026
Armored Likho APT deploys BusySnake stealer with AI-generated loaders
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us