Full Report
An inside look at the active Armored Likho APT campaign. The attackers are using spear-phishing, AI-generated loaders, and a new Python-based tool, BusySnake Stealer, to target organizations in Russia, Kazakhstan, and Brazil.
Analysis Summary
# Threat Actor: Armored Likho
## Attribution & Identity
* **Name:** Armored Likho (also known as Likho).
* **Aliases:** Internal tracking by various vendors sometimes associates similar activity with generic Russian-speaking threat groups.
* **Identification:** A cyberespionage group primarily focused on Russian and CIS-related interests, characterized by their use of legitimate cloud services for Command and Control (C2).
## Activity Summary
The group is currently engaged in an active campaign utilizing spear-phishing as the primary entry vector. Recent operations involve the use of advanced, AI-generated loaders designed to bypass traditional detection, culminating in the deployment of a custom Python-based information stealer dubbed "BusySnake."
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails containing malicious attachments or links to archives (T1566.001).
* **Execution:** Use of AI-generated loaders (likely utilizing Large Language Models to write unique code) to execute the next stage of the attack while evading signature-based scanners.
* **Evasion:** Heavy reliance on "living-off-the-cloud" techniques, utilizing legitimate services to blend in with normal network traffic.
* **Persistence:** Use of scheduled tasks or registry run keys to ensure malware execution across reboots (T1053.005).
* **Data Collection:** Deployment of BusySnake Stealer to harvest credentials, system metadata, and files.
## Targeting
* **Sectors:** Government, military, and industrial organizations.
* **Geography:** Primarily Russia, Kazakhstan, and Brazil.
* **Victims:** While specific organizations are not named in the brief, the campaign targets entities with high-value geopolitical or industrial intelligence.
## Tools & Infrastructure
* **Malware:**
* **BusySnake Stealer:** A newly identified Python-based tool designed for data exfiltration and info-stealing.
* **AI-Generated Loaders:** Custom-coded shells used to drop the final payload.
* **Infrastructure:**
* **C2:** Extensive use of legitimate cloud platforms (e.g., Yandex Disk, Dropbox, or Telegram) for command-and-control communication to bypass firewall restrictions.
* **Note:** All malicious URLs/IPs associated with this campaign should be treated as [.] (e.g., `attacker-domain[.]com`).
## Implications
Armored Likho represents a significant localized threat within the CIS region and increasingly abroad (Brazil). Their shift toward AI-generated code suggests an evolution in their development cycle, allowing them to create bespoke, low-detection malware variants rapidly. The use of legitimate cloud infrastructure makes historical IP-based blocking less effective.
## Mitigations
* **Phishing Defense:** Implement advanced email filtering that inspects archive attachments and sandboxes suspicious links.
* **Endpoint Monitoring:** Monitor for suspicious Python executions and unauthorized scheduled tasks on workstations.
* **Cloud Service Auditing:** Restrict or monitor traffic to public cloud storage services from sensitive internal segments.
* **Behavioral Analysis:** Deploy EDR solutions capable of identifying "living-off-the-land" and "living-off-the-cloud" patterns rather than relying purely on file signatures.