ctipilot.ch

BusySnake Stealer

malware · malware:busysnake-stealer single-source

Python 3.12 Windows infostealer (module.pyw) documented by Kaspersky (2026-07-03), obfuscated with PyArmor Pro 9.2.0 using call-time bytecode decrypt/re-encrypt. Handler/command architecture: clipboard and file scraping for 64-char hex keys and otpauth:// OTP seeds, DPAPI Chromium and PK11SDR_Decrypt Firefox credential theft, cookie theft incl. a browser-extension variant, document exfiltration, screenshots, Telegram tdata harvesting, crypto-wallet JSON hunting, reverse-SSH tunneling and RustDesk remote-access abuse. Staged from auto-rotating GitHub repositories; scheduled-task persistence via VBScript every five minutes.

Coverage timeline
1
first 2026-07-11 → last 2026-07-11
Peak priority
notable
1 notable
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
1
see Related entities below
ATT&CK techniques
15
pinned v19.1 · see below

ATT&CK techniques

15 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Resource Development TA0042

T1608.001Stage Capabilities: Upload Malware×1

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Initial Access TA0001

T1566.001Phishing: Spearphishing Attachment×1

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Execution TA0002

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell×1

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1059.006Command and Scripting Interpreter: Python×1

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1204.002User Execution: Malicious File×1

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Persistence TA0003

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Privilege Escalation TA0004

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Stealth TA0005

T1027Obfuscated Files or Information×1

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Credential Access TA0006

T1539Steal Web Session Cookie×1

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers×1

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Collection TA0009

T1005Data from Local System×1

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1113Screen Capture×1

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1115Clipboard Data×1

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Command and Control TA0011

T1219Remote Access Tools×1

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

T1572Protocol Tunneling×1

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

Evidence: 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · ATT&CK page ↗

Story timeline

  1. 2026-07-11Armored Likho: new APT hits government and electric-power targets with an AI-generated loader and the Python 'BusySnake' stealer
    active-threatsKaspersky names Armored Likho — spear-phishing into an LLM-written loader chain that stages a full Python runtime and a PyArmor-protected stealer

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

used by

Where this entity is cited

  • active-threats1

Source distribution

  • securelist.com1 (100%)

Co-occurring entities

Derived — referenced by the same entries; ×N counts the shared entries.

Entries about BusySnake Stealer (1)

2026-07-11 · view entry permalink →

NOTABLENATOB3

Armored Likho: new APT hits government and electric-power targets with an AI-generated loader and the Python 'BusySnake' stealer

Kaspersky's threat-monitoring team published a full analysis of a previously unknown APT it dubs Armored Likho (also tracked, on circumstantial evidence, as Eagle Werewolf), which mixes financially motivated campaigns against individuals with targeted espionage against organizations — the current campaign, still active at publication, concentrates on government agencies and electric-power-sector organizations in Russia, Brazil and Kazakhstan (Kaspersky Securelist, 2026-07-03). Initial access is spear-phishing with government-notice and social-program themes carrying archive attachments. One variant drops an NSIS self-extracting dropper that shows a decoy "psychological test" survey, writes a legitimate pnx.exe to a temp directory and injects loader code into its process memory; the other abuses the ZDI-CAN-25373 Windows shortcut-display weakness — whitespace/line-break padding that hides the LNK's real command line from the user — to launch obfuscated PowerShell. Both paths converge on a loader that Kaspersky assesses was written by an LLM (verbose comments and bullet-point emojis "highly uncharacteristic of human-developed malware") — a concrete case of AI-generated first-stage tooling blurring the actor's TTP fingerprint and complicating attribution (Kaspersky Securelist, 2026-07-03).

The loader pulls its payload packages from attacker-controlled GitHub repositories whose contents and names rotate automatically, then stages everything under %APPDATA%\WindowsHelper: a bundled Python 3.12 interpreter, get-pip.py for dependency installation, and the primary payload module.pyw — BusySnake Stealer, a Python infostealer obfuscated with PyArmor Pro 9.2.0 that decrypts each function's bytecode only at call time and re-encrypts it afterward. Persistence is a VBScript launcher (run.vbs) registered as a scheduled task re-executing the payload every five minutes; a companion wh_selfdelete.vbs wipes the initial loader. On tasking from its C2, the stealer harvests Chromium credentials via DPAPI and Firefox credentials via PK11SDR_Decrypt, steals browser cookies (in one command variant by installing a browser extension), scrapes the clipboard and local files for 64-character hex keys and otpauth:// OTP seeds, inventories and exfiltrates user documents under 5 MB, captures screenshots, packages Telegram tdata session stores after force-killing telegram.exe, hunts cryptocurrency-wallet JSON files, opens a reverse-SSH tunnel with a C2-supplied key, and abuses RustDesk — downloading it if absent, or restarting it to make the user re-enter their ID/password while screenshotting the credentials (Kaspersky Securelist, 2026-07-03).

Provenance note: this entry was published by the 2026-07-11 full-store quality audit, which found the item had fallen into the 2026-07-07 scheduler outage's backfill blind spot (research-blog publications do not route through the KEV/CERT catch-up paths the backfill run swept — pipeline fix shipped as prompts v3.21).

This targeted campaign focuses heavily on government agencies and the electric power sector. The geographical footprint of these attacks spans Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor.

This coding style is highly uncharacteristic of human-developed malware. It strongly indicates that the group is leveraging LLMs to generate their malicious payloads.

Kaspersky Securelist 2026-07-03
threat11 Jul 17:40Zsingle-sourceOpen finding ↗