HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Armored Likho’s BusySnake Stealer Phishing Campaign Targets Government and Power Sectors

Kaspersky uncovered a spear‑phishing operation by the APT group Armored Likho that delivers the BusySnake Stealer to harvest passwords and cookies from government and electric‑utility targets. The campaign underscores the need for robust security‑awareness training and SOC 2‑aligned access‑control evidence.

LiveThreat™ Intelligence · 📅 July 03, 2026· 📰 securelist.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
securelist.com

Armored Likho’s BusySnake Stealer Phishing Campaign Targets Government and Power Sectors

What Happened – Kaspersky’s SecureList reports a new spear‑phishing operation run by the previously unknown APT group Armored Likho. The campaign distributes malicious EXE or LNK files inside seemingly innocuous ZIP/RAR archives and delivers the Python‑based BusySnake Stealer, which harvests browser passwords, cookies and opens reverse SSH tunnels for persistent access.

Why It Matters for Compliance & Audit Readiness

  • The attack exploits the classic phishing vector, a scenario SOC 2 Control CC6.1 (Security Awareness & Training) is designed to prevent and evidence.
  • Credential‑theft modules (password and cookie exfiltration) directly challenge the Access Control criteria (CC6.2) that require documented user‑authentication safeguards and audit logs.
  • Continuous monitoring of email gateways and endpoint telemetry provides the defensible audit trail needed to demonstrate “risk‑based” controls during a SOC 2 audit.

Who Is Affected – Government agencies and electric‑utility operators in Russia, Brazil and Kazakhstan (public‑sector & critical‑infrastructure).

Recommended Actions

  • Map the phishing entry point to SOC 2 CC6.1 and CC6.2, capture evidence of email‑filtering rules, phishing‑simulation results and training completion records.
  • Deploy or tighten multi‑factor authentication for privileged accounts and enforce least‑privilege on browser credential stores.
  • Integrate endpoint detection that flags Python‑based infostealers and reverse‑SSH tunnels; retain logs as audit evidence.

Source: Kaspersky SecureList – Armored Likho BusySnake Stealer

Technical Notes – Initial access via spear‑phishing attachments (EXE/LNK) packaged in ZIP/RAR archives; BusySnake is a modular Python infostealer that extracts passwords from Firefox/Chromium, steals cookies, and establishes reverse SSH tunnels via Go2Tunnel. No CVE is involved; the threat relies on social engineering and custom malware obfuscation.

📰 Original Source
https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →