Like i said it would happen before, water filtration systems, and important resources.
A newly identified advanced persistent threat (APT) group has been discovered targeting government bodies and critical infrastructure organizations across several countries, deploying a sophisticated and wide-ranging malware toolset built to harvest login credentials, confidential files, and other valuable information.
Kaspersky researchers, who have named the group "Armored Likho," report that victims identified so far are located in Russia, Brazil, and Kazakhstan. The group's activity spans two distinct tracks: financially driven attacks aimed at individual targets, alongside espionage-focused operations directed at organizations within those same countries.
Inside Armored Likho's Multi-Pronged Campaign
Kaspersky identified the group's primary attack vector as spear-phishing emails designed to look like official government notices or messages related to social welfare programs. These emails carried compressed archive attachments containing either malicious executable files or weaponized Windows shortcut files, camouflaged as innocuous documents — examples included fake psychological assessments, humanitarian aid applications, and debt settlement certificates.
Once triggered, the initial payload opens a decoy file or fake application tailored to whatever lure was used, keeping the victim occupied while the attack quietly moves to its next phase. In one example Kaspersky documented, the malicious archive showed the victim what looked like a genuine psychological survey, while behind the scenes a dropper silently unpacked and ran additional malicious components without triggering any visible alerts.
Kaspersky's analysis also pointed to something notable in the attackers' methods: the coding patterns and comment style found within some of the early-stage loader files suggest the group may be leveraging large language models to help write this code. The firm noted that recent Armored Likho campaigns show an increasing reliance on AI-assisted code generation for these initial payloads, evidenced by repetitive comments and code structures — a shift that appears to be helping the group expand the variety of attack methods it can deploy.
The BusySnake Stealer
Serving as the campaign's ultimate objective, the last-stage payload is a never-before-seen Python infostealer that Kaspersky has labeled "BusySnake Stealer." The vendor's technical review found it equipped to pull a wide variety of sensitive data off compromised machines — everything from stored browser credentials and cookies to clipboard contents, cryptographic keys, authentication tokens, messaging app data, and Telegram session files.
Beyond straightforward theft, BusySnake gives attackers the option to set up reverse SSH tunnels or install remote-access tools, enabling ongoing, hands-on control of infected systems. A built-in command-and-control channel rounds out its capabilities, letting operators send further instructions whenever needed.
What sets BusySnake apart — and makes it particularly concerning — is the layered set of anti-analysis measures built into it. Kaspersky's researchers traced the use of PyArmor Pro, a commercial obfuscation product, to scramble the malware's Python bytecode; the code is only briefly decrypted when a function is actually needed, then re-encrypted immediately afterward.
Additional stealth features identified by Kaspersky include running with no visible console window, a non-standard lock-file system that blocks multiple instances from launching at once, selective targeting of which files get scanned and stolen, and networking capabilities coded directly into the malware rather than pulled from outside libraries. Taken together with the malware's modular design and the existence of multiple iterations, these features make the stealer considerably harder to dissect.
Targeting Critical Infrastructure
Kaspersky summarized the broader significance of the findings, noting that the campaign reflects several trends occurring at once: Armored Likho's growing technical sophistication, the polymorphic nature of its tools, and a move toward increasingly elaborate methods for evading security defenses — from obfuscating Python source code to building networking functions straight into the malware itself.
According to Kaspersky, the group's varied malware arsenal gives attackers the flexibility to customize payloads for individual targets while quietly retaining control over breached systems long enough to extract valuable data.
Armored Likho joins a expanding roster of threat actors — a number of them state-sponsored APT groups — setting their sights on critical infrastructure for purposes ranging from data theft to sabotage and surveillance.
Just last month, DomainTools flagged that groups linked to Iran, Russia, and China were methodically going after water utility systems in nations these governments view as rivals. Separately, Microsoft has previously sounded the alarm on China-linked actors like Volt Typhoon burrowing into US critical infrastructure networks, seemingly positioning themselves for disruptive action down the road should Beijing decide it's warranted.
Amazon's threat intelligence division similarly uncovered, last year, an extended operation by Russia-linked APT groups exploiting misconfigured settings and unpatched flaws in corporate routers, network infrastructure, collaboration software, and cloud-hosted project management tools tied to critical infrastructure operators worldwide.
While Kaspersky stopped short of linking Armored Likho to any particular government, the group's operations appear centered on stealing credentials and establishing durable, interactive footholds within government and critical infrastructure environments. The firm has released indicators of compromise and supporting details to help organizations detect and block the group's activity.