A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan.
“Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations,” Kaspersky said in a technical analysis published today. “Their toolkit features obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis.”
The attacks are also characterized by the use of tools like Go2Tunnel for remote access and network tunneling. The wide variety of tools in its arsenal allows the threat actor to maintain persistent access to compromised hosts, steal credentials and sensitive data, and dynamically deliver modules tailored to the victim’s profile.
The Russian cybersecurity vendor said Armored Likho shares possible overlaps with a threat cluster tracked by BI.ZONE under the moniker Eagle Werewolf, which has been active since May 2023. The hacking group has a track record of targeting government and defense organizations, specifically those involved in UAV development and manufacturing, using droppers, remote access Trojans (RATs), and utilities for establishing SSH tunnels.
“Threat actors may use compromised Telegram channels to distribute the malware,” BI.ZONE notes in its description of the threat actor. “While the group’s primary motivation is cyber-espionage, campaigns aimed at stealing funds from victims have also been recorded.”
Back in February 2026, Eagle Werewolf was observed compromising a drone‑focused Telegram channel to distribute AquilaRAT via a Rust dropper that masquerades as a checklist for Starlink device activation. Also put to use in the attacks is Go2Tunnel to establish a reverse SSH tunnel to a command-and-control (C2) server using a private key.
The latest findings show that the threat actor has also employed a previously unreported Python-based information stealer named BusySnake Stealer targeting Windows systems, one version of which includes a module for stealing cookies from web browsers. The exact origins of Armored Likho remain unknown.
The starting point of the attack chain is a spear-phishing email that uses lures related to official government notices or social programs to distribute a RAR archive containing EXE binaries that serve as droppers for additional payloads retrieved from a GitHub repository, including the stealer payload.
The dropper malware also creates two Visual Basic Script (VBScript) files that are responsible for erasing traces of the initial execution as well as launching the stealer by means of a scheduled task.
Alternate chains utilize Windows shortcuts (LNK) instead of EXE payloads that weaponize a now-patched vulnerability related to how Windows handles such files, resulting in remote code execution. The flaw, tracked as CVE-2025-9491 (aka ZDI-CAN-25373), was addressed by Microsoft as part of…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
