Armored Likho’s BusySnake Stealer Phishing Campaign Targets Government and Power Sectors
What Happened – Kaspersky’s SecureList reports a new spear‑phishing operation run by the previously unknown APT group Armored Likho. The campaign distributes malicious EXE or LNK files inside seemingly innocuous ZIP/RAR archives and delivers the Python‑based BusySnake Stealer, which harvests browser passwords, cookies and opens reverse SSH tunnels for persistent access.
Why It Matters for Compliance & Audit Readiness
- The attack exploits the classic phishing vector, a scenario SOC 2 Control CC6.1 (Security Awareness & Training) is designed to prevent and evidence.
- Credential‑theft modules (password and cookie exfiltration) directly challenge the Access Control criteria (CC6.2) that require documented user‑authentication safeguards and audit logs.
- Continuous monitoring of email gateways and endpoint telemetry provides the defensible audit trail needed to demonstrate “risk‑based” controls during a SOC 2 audit.
Who Is Affected – Government agencies and electric‑utility operators in Russia, Brazil and Kazakhstan (public‑sector & critical‑infrastructure).
Recommended Actions
- Map the phishing entry point to SOC 2 CC6.1 and CC6.2, capture evidence of email‑filtering rules, phishing‑simulation results and training completion records.
- Deploy or tighten multi‑factor authentication for privileged accounts and enforce least‑privilege on browser credential stores.
- Integrate endpoint detection that flags Python‑based infostealers and reverse‑SSH tunnels; retain logs as audit evidence.
Source: Kaspersky SecureList – Armored Likho BusySnake Stealer
Technical Notes – Initial access via spear‑phishing attachments (EXE/LNK) packaged in ZIP/RAR archives; BusySnake is a modular Python infostealer that extracts passwords from Firefox/Chromium, steals cookies, and establishes reverse SSH tunnels via Go2Tunnel. No CVE is involved; the threat relies on social engineering and custom malware obfuscation.