BusySnake Stealer: New Python Malware Powers Armored Likho APT Espionage
A previously undocumented Python-based infostealer dubbed BusySnake is being actively deployed by an emerging advanced persistent threat group tracked as Armored Likho (also known as Eagle Werewolf).
The malware, purpose-built for Windows systems, is engineered to harvest high-value secrets including browser-stored passwords, cookies, Telegram desktop sessions, clipboard contents, screenshots, and cryptocurrency wallet data.
Infections begin with convincing spear-phishing lures disguised as government notices and humanitarian forms, delivered as archives containing either NSIS-built EXE droppers or weaponized LNK shortcuts.
BusySnake Stealer

The EXE variant extracts a legitimate-looking helper binary, injects code to run a loader, then pulls a staged archive from attacker-controlled GitHub repositories.
The LNK variant abuses a documented shortcut-handling flaw to hide execution parameters, launching an obfuscated PowerShell chain to fetch the same loader.
Both vectors deploy an embedded Python 3.12 runtime, PyArmor-protected bytecode, and automated pip installation to prepare the environment for the BusySnake payload.
According to Securelist, BusySnake’s protections stand out. The authors used PyArmor Pro to encrypt bytecode with on-call decryption, meaning functions decrypt only at invocation and immediately re-encrypt afterward, complicating static analysis and sandbox detection.
The stealer runs as a .pyw background process with no console window, avoiding user visibility. It enforces single-instance execution via a non-standard lock-file algorithm, then spawns multiple background handlers for clipboard scraping, file-system inventory, prioritized document exfiltration, screenshot capture, and continuous C2 polling.
BusySnake’s technical capabilities map directly to attacker objectives:
- Password extraction decrypts credentials from Chromium-based browsers via Windows DPAPI and from Firefox using PK11SDR_Decrypt calls
- Cookie collection works through direct database access and, in some versions, a stealthily installed browser extension
- Telegram harvesting locates the APPDATA/Telegram Desktop/tdata store, force-terminates Telegram for file consistency, compresses session files, and exfiltrates them, enabling account takeover without passwords
- Cryptocurrency theft scans files for 64-character hex strings matching private keys and searches for wallet JSON files
- OTP secrets are logged when otpauth:// URIs appear, often via clipboard monitoring
The poll_task function continuously polls the C2 server for new commands, using a simple, persistent protocol where periodic GET requests transmit client identifiers and retrieve function names for execution.

Armored Likho complements BusySnake with auxiliary tools, including Go2Tunnel for tunneling and remote access options such as RustDesk or on-demand reverse SSH proxies. The campaign reflects modern threat trends: polymorphic toolchains, automated loader code generation (with evidence suggesting LLM-assisted obfuscation), and public artifact hosting for the distribution of dynamic payloads.
Targeting patterns point to a threat actor blending financially motivated theft with targeted espionage against government and critical infrastructure, notably the electric power sector across Russia, Brazil, and Kazakhstan.
Mitigation
Defenders should prioritize detecting unusual NSIS installers, anomalous LNK execution chains, staged Python runtimes under %APPDATA% (such as WindowsHelper), and scheduled tasks that run VBScript launchers every 5 minutes.
Incident responders who identify BusySnake indicators should assume full compromise of credentials and sessions: perform password resets with out-of-band reauthentication, revoke Telegram sessions, and inspect endpoints for additional remote-access implants and exfiltration artifacts.
No Comment! Be the first one.