Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Armored Likho APT Threatens Global Government Sectors

Armored Likho APT Threatens Global Government Sectors

Posted on July 6, 2026 By CWS

An emerging advanced persistent threat (APT) group, named Armored Likho, has been identified as targeting both governmental bodies and electric power companies across several nations, according to a report by Kaspersky.

Armored Likho’s Dual-Edged Strategy

Armored Likho is involved in both financial cybercrimes aimed at individuals and espionage activities against organizations in Russia, Brazil, and Kazakhstan. The group employs a versatile toolkit, including modular remote access trojans (RATs) and information stealers such as the Python-based BusySnake Stealer. They also utilize Go2Tunnel for remote access and network tunneling.

Kaspersky highlights that this array of malware allows the threat actor to maintain covert control over infected systems, extract sensitive data, and deploy custom modules suited to the specific target and mission objectives.

Tactics and Techniques

The primary method of initial compromise used by Armored Likho is spear-phishing. They send emails with attached archives containing executables or LNK files. Once these are opened, they distract the user with decoy content while silently installing malware.

This malware includes a loader that, once executed, retrieves archives from GitHub repositories. These repositories contain early-stage development builds and test samples of the malware. The LNK files present a deceptive document while secretly downloading a Python 3.12 interpreter and an archive in the background.

Advanced Malware Capabilities

The archives feature a Python-based infostealer, BusySnake Stealer, which has numerous evasion techniques. It dynamically decrypts bytecode during function calls and encrypts it immediately afterward, all while operating without a visible console window.

BusySnake Stealer is equipped with multiple handlers to manage different functions, including stealing clipboard content, enumerating files, extracting keys, exfiltrating documents, capturing screenshots, checking for persistence, and executing commands. It can also log keystrokes, decrypt stored passwords from browsers, extract browser cookies, search for cryptocurrency wallets, obtain Telegram sessions and credentials, and establish reverse SSH tunnels for persistent access.

Initially, Armored Likho used Go2Tunnel to create reverse SSH tunnels, but this function is now integrated into the BusySnake Stealer, enhancing the attackers’ ability to maintain remote control over affected systems.

Implications and Future Outlook

Armored Likho’s activities show parallels with the Eagle Werewolf group, as both have utilized similar RAT structures and persistence mechanisms. This overlap suggests a possible collaboration or shared origin. The group’s continued evolution and sophisticated tactics pose significant threats to global cybersecurity.

The ongoing development and deployment of such advanced malware highlight the increasing need for robust cybersecurity measures. Organizations worldwide must enhance their defenses to counteract these complex cyber threats effectively.

Security Week News Tags:APT, Armored Likho, BusySnake Stealer, cyber espionage, cyber threat, Cybersecurity, electric power, GitHub, Government, Kaspersky, Malware, Python-based malware, remote access, spear-phishing

Post navigation

Previous Post: Critical Gitea Docker Flaw CVE-2026-20896 Under Attack
Next Post: Microsoft Login Exploit Used in New Phishing Attacks

Related Posts

Unauthorized Mythos Access & CISA Nomination Withdrawal Unauthorized Mythos Access & CISA Nomination Withdrawal Security Week News
F5 Hack: Attack Linked to China, BIG-IP Flaws Patched, Governments Issue Alerts  F5 Hack: Attack Linked to China, BIG-IP Flaws Patched, Governments Issue Alerts  Security Week News
Adobe Patches Nearly 140 Vulnerabilities Adobe Patches Nearly 140 Vulnerabilities Security Week News
Webinar on Securing Vulnerable OT in a Connected World Webinar on Securing Vulnerable OT in a Connected World Security Week News
Oracle’s April 2026 Update Fixes 481 Security Flaws Oracle’s April 2026 Update Fixes 481 Security Flaws Security Week News
Phishing Exploits .arpa TLD in DNS Vulnerabilities Phishing Exploits .arpa TLD in DNS Vulnerabilities Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark