Armored Likho: Kaspersky ties BusySnake stealer to power-sector espionage
Kaspersky attributes a previously undocumented threat actor, Armored Likho, to a campaign hitting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan using the BusySnake stealer.
Kaspersky, on July 3, published a technical analysis attributing a previously undocumented threat actor it names Armored Likho to a campaign against government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. The malware family Kaspersky attaches to the operator is called BusySnake Stealer. Per the writeup as summarized by The Hacker News, the same operator blends financially motivated campaigns against private individuals with targeted cyber espionage aimed at organizations. That last sentence is the frame; the technical detail sits under it.
What was disclosed
- Actor name: Armored Likho. Previously undocumented in public reporting.
- Attribution: Kaspersky, via the Securelist research blog technical writeup summarized in the July 3 Hacker News piece.
- Tooling: BusySnake Stealer as the principal named payload.
- Target set as reported: government agencies and electric power sector organizations in Russia, Brazil, and Kazakhstan; separately, private individuals in what Kaspersky characterizes as financially-motivated activity by the same operator.
- Motive as reported: blended — commodity credential/wallet theft against individuals, targeted collection against organizations. Kaspersky does not, in the public summary, disclaim state sponsorship or claim it; treat state-sponsorship framing as unconfirmed until the Securelist writeup is read in full.
No CVE. No named exploit chain. This is a threat-intel piece, not a vulnerability disclosure — no patch to install, no advisory to link, and no exploitation walkthrough to reproduce. What defenders get here is a name and a stealer signature to hunt for, not a mitigation to apply.
The power sector part
The line in the reporting that matters most for this newsroom’s beat is the electric power sector inclusion. Grid operators are not usually named alongside private-individual credential theft in the same operator’s campaign summary. When they are, it means one of two things: either the same crew has a spread portfolio and the utility work is genuinely a separate objective for a different customer, or the utility work is being funded by the volume operation and the two are the same wallet.
Kaspersky’s public wording does not distinguish which. The Securelist detail — access vectors, dwell time, whether the power-sector intrusions reached OT networks or stopped at IT — is the read that changes what any grid defender should do next. Read the primary before internalizing the geography.
The three-country spread — Russia, Brazil, Kazakhstan — is also not a natural set on its face. It is worth flagging without speculating on it: three power grids in three geopolitical postures do not fall into the same threat model by accident, and Kaspersky’s writeup is the place to look for the connective tissue.
What to actually do
If you run a distribution or generation utility, or you’re on a SOC that carries government or utility customers in the named geographies:
- Pull the Securelist post directly and extract the BusySnake indicators — hashes, C2 hosts, phishing lure infrastructure — into your detection stack. A summary is not a hunt file.
- Prioritize inbound-email and browser-download telemetry for the BusySnake delivery patterns Kaspersky documents. Stealer families are noisy on endpoint if the sensors are actually looking; they are silent if only network telemetry is on.
- Assume dual-use tradecraft. If the same operator runs volume credential theft against private individuals for revenue and targeted collection against your organization, the tooling and infrastructure crossover means indicators from the individual-targeting side may light up organization inboxes first. Don’t triage BusySnake alerts on a corporate endpoint as “consumer malware, not our problem.”
- For OT-side operators specifically: treat any authentication anomaly on a corporate identity that has crossover into engineering-workstation access as ransomware- or espionage-precursor. The reporting is not specific about whether Armored Likho crossed the IT/OT line — that ambiguity is the reason to treat it as if it might.
There is nothing here to patch. There is a name to watch for, a stealer to hunt, and a reminder that the electric power sector is being named in threat-intel writeups alongside commodity credential theft. That last part is the piece worth carrying into next week.
Watching for
- Full Kaspersky Securelist writeup with IOCs, victimology detail, and any OT-network specifics.
- National CERT advisories from Russia (NKTsKI), Brazil (CERT.br), and Kazakhstan (KZ-CERT) — a named campaign against domestic utilities usually triggers at least a soft advisory.
- CISA ICS-CERT signal on BusySnake or Armored Likho as a named referent. The U.S. grid isn’t in the current geography, but the pattern of intel sharing on named APT tooling means a mention here would push detection content downstream fast.
- Overlap with other 2026 threat-intel writeups that named the same target set. This is the first time the actor has been documented publicly — the second and third writeups are the ones that will confirm whether the geography and sector list are stable or moving.
Sourcing
- The Hacker News: Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer, July 3, 2026
- Kaspersky Securelist: securelist.com — the primary technical writeup this coverage rests on
- CISA critical-infrastructure resources: cisa.gov/topics/critical-infrastructure-security-and-resilience
- Related coverage on 0daynews: PamStealer / macOS credential theft, DPRK npm supply-chain packages
Found this useful? Share it.