Full Report
A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. "Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations," Kaspersky said in a technical analysis published today. "
Analysis Summary
# Threat Actor: Armored Likho
## Attribution & Identity
* **Name/Alias:** Armored Likho
* **Associated Groups:** Potential overlap with a threat cluster tracked as **Eagle Werewolf** (by BI.ZONE).
* **Identification:** Attributed by Kaspersky. The actor blends financially motivated cybercrime with nation-state level cyber espionage.
## Activity Summary
Armored Likho has been active since at least May 2023 (as Eagle Werewolf). Recent 2026 operations involve targeting government and energy sectors using a hybrid approach of credential theft and persistent espionage. Notable recent campaigns involved compromising Telegram channels to distribute malware and exploiting Windows vulnerabilities to deploy custom Python-based stealers.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails containing RAR archives; compromise of trusted social media channels (e.g., drone-focused Telegram channels).
* **Exploitation:** Weaponization of **CVE-2025-9491** (Windows LNK remote code execution flaw) to trigger PowerShell commands.
* **Persistence:** Use of VBScript files and Scheduled Tasks to ensure malware remains after reboot.
* **Evasion:** Obfuscated and modular payloads designed to bypass dynamic analysis; use of VBScript to erase traces of initial execution.
* **Command & Control:** Reverse SSH tunnels; hosting payloads on GitHub repositories.
* **Lateral Movement/Tunneling:** Network tunneling via Go2Tunnel.
* **Exfiltration:** Harvesting system clipboard, screen captures, file metadata, and web browser cookies.
* **MITRE ATT&CK IDs:**
* T1566 (Phishing)
* T1204.001 (User Execution: Malicious Link)
* T1059.001 (Command and Scripting Interpreter: PowerShell)
* T1053.005 (Scheduled Task/Job: Scheduled Task)
* T1572 (Protocol Tunneling)
* T1113 (Screen Capture)
## Targeting
* **Sectors:** Government agencies, Electric Power sector, Defense organizations, UAV (Unmanned Aerial Vehicle) development and manufacturing.
* **Geography:** Russia, Brazil, and Kazakhstan.
* **Victims:** Private individuals (for financial gain) and specific government/defense organizations (for espionage).
## Tools & Infrastructure
* **Malware Families:**
* **BusySnake Stealer:** A Python-based information stealer.
* **AquilaRAT:** A remote access Trojan.
* **Go2Tunnel:** Tool for establishing SSH tunnels.
* **Infrastructure:**
* **GitHub:** Utilized for fetching additional secondary payloads.
* **Telegram:** Used for malware distribution via compromised channels.
* **C2 Server:** Communications handled via reverse SSH tunnels and private keys.
* **Decoys:** Decoy documents and fake checklists (e.g., Starlink activation guides).
## Implications
Armored Likho represents a dual-threat actor whose capability to pivot between financial gain and targeted espionage suggests a sophisticated operational model. By leveraging reputable platforms like GitHub and Telegram for delivery, and exploiting N-day vulnerabilities like CVE-2025-9491, they demonstrate a high success rate against organizations with lagging patch cycles. Their focus on the power sector and UAV manufacturing indicates an interest in critical infrastructure and emerging defense technologies.
## Mitigations
* **Patch Management:** Immediate remediation of **CVE-2025-9491** and general Windows LNK handling updates.
* **Scripting Policy:** Restrict the execution of VBScript and PowerShell via group policies (AppLocker or Devise Guard) if not required for business operations.
* **Network Monitoring:** Monitor for unusual outbound SSH traffic (Port 22) or unauthorized tunneling tools like Go2Tunnel.
* **Email Security:** Implement advanced scanning to detect RAR archives containing executable binaries or malicious LNK files.
* **Threat Hunting:** Audit Scheduled Tasks for suspicious VBScript executions or references to local "Temp" directories and Python-based binaries.