BusySnake Infostealer Targets Critical Infrastructure in Russia, Brazil, and Kazakhstan
A sophisticated threat actor tracked as Armored Likho has been deploying a custom-built infostealer dubbed BusySnake against government agencies and electrical power utilities across Russia, Brazil, and Kazakhstan, according to new research shared with Dark Reading. The campaign represents a notable escalation in targeting critical infrastructure across multiple geographies, with researchers warning that the group's tradecraft continues to mature.
BusySnake is engineered for stealth and persistence within operational technology (OT) and IT environments. Once inside a network, the malware harvests credentials, browser-stored data, and system information before exfiltrating payloads to attacker-controlled infrastructure. Security analysts tracking the campaign have noted overlaps with prior Armored Likho operations, including the use of SmartPSS and other legitimate remote management tools as living-off-the-land binaries to evade detection.
The group's focus on electrical power entities raises significant concerns about pre-positioning for potential disruptive or destructive attacks. Organizations operating in the energy sector are urged to audit remote access paths and monitor for anomalous outbound connections. Defenders can use our WHOIS lookup tool to investigate suspicious domains tied to the campaign, and our port scanner to identify exposed services on perimeter assets that may serve as initial access vectors.
To reduce exposure to infostealer-class malware like BusySnake, security teams should enforce multi-factor authentication across all remote access points, segment OT networks from corporate IT, and continuously monitor credential dumps. Individuals whose emails may have been compromised in related breaches can verify exposure using our email breach checker, and organizations should review logs for signs of lateral movement consistent with the tradecraft attributed to Armored Likho.