Armored Likho Digging a Snake Pit: Inside the Covert BusySnake Stealer Campaign

    Date: 07/06/2026

    Severity: High

    Summary

    Threat Discovery: A new phishing campaign has been uncovered, tied to an APT group dubbed Armored Likho (also known as Eagle Werewolf). Target Sectors: This targeted campaign focuses heavily on government agencies and the electric power sector. Global Footprint: The attacks span Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor. Dual Motivation: Armored Likho blends financially motivated campaigns targeting individuals with cyber-espionage aimed at organizations. Malware Toolkit: They utilize Go2Tunnel alongside obfuscated, modular RATs and infostealers engineered to bypass dynamic analysis. Impact & Control: This diverse stack enables them to maintain stealthy host control, exfiltrate credentials, and deploy tailored modules. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    winupdate.live

    arvax.xyz

    varenie.live

    lvl99.store

    onetoken.ink

    winupdate.ink

    grked.online

    ndrt.ink

    myboard.chickenkiller.com

    myboard.twilightparadox.com

    IP Address 

    159.198.41.140

    159.198.75.219

    159.198.32.222

    69.67.173.153

    Hash 

    5D5C3E483C5E544260CE98FC29FBF192

    7141917CBA2EEE2B4D31107FACCF3A39

    F5C6434EE5F7578FAA3BC1257E1C9226

    C019797A00FD56EDB1F468AC0A598510

    A0EC7A8E61EFF3F445A7455B3AEF9FBB

    F5C6434EE5F7578FAA3BC1257E1C9226

    7DB9C688C620E54E8C69B7E52A7579FB

    90378881856ABFA47D7745C0A3EF9DC8

    1DBA3E505491A260A44C867902C3296E

    1096268FA2B3D454C86CF851CB782319

    F2AB09D7E7A375A192508A5014AA2EE4

    0041FD1B2358CD08DBCBC28EA8FC3D20

    894332174F536C2E1EFEDA05CBA79F8B

    78135F72AB148A0CC074F6B2DD51FFF6

    07213C419489C02791E8D67B91E404EF

    393B498F2114CABC0B29D5FCD9DC6723

    CF74AC018D158EA2C2CFA1B1D71D95BC

    2DFA1D949872C1B2F04952DD3E5F5D8F

    C7622A1EFFA27BBFEE6D6E03D6474343

    80B7700053E115D65365CE7330383320

    6B45DDB39A6E86229348DCBBA3857E7C

    006887732CA4A4A46A97989CF4DEEEF6

    732C31ACF971A81C7E51B2A3DAE82020

    DDFF82A115558584BBD7741D4FFB35B4

    8188B2F347B77D65D08CFB23808AC244

    E2550CFAD9DCC880BF04F6048F90868C

    FD2BDD8047ADDEE6FDE2F532DE181BFD

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "lvl99.store" or url like "lvl99.store" or siteurl like "lvl99.store" or domainname like "winupdate.ink" or url like "winupdate.ink" or siteurl like "winupdate.ink" or domainname like "ndrt.ink" or url like "ndrt.ink" or siteurl like "ndrt.ink" or domainname like "varenie.live" or url like "varenie.live" or siteurl like "varenie.live" or domainname like "onetoken.ink" or url like "onetoken.ink" or siteurl like "onetoken.ink" or domainname like "grked.online" or url like "grked.online" or siteurl like "grked.online" or domainname like "arvax.xyz" or url like "arvax.xyz" or siteurl like "arvax.xyz" or domainname like "winupdate.live" or url like "winupdate.live" or siteurl like "winupdate.live" or domainname like "myboard.chickenkiller.com" or url like "myboard.chickenkiller.com" or siteurl like "myboard.chickenkiller.com" or domainname like "myboard.twilightparadox.com" or url like "myboard.twilightparadox.com" or siteurl like "myboard.twilightparadox.com"

    Detection Query 2 :

    dstipaddress IN ("159.198.75.219","159.198.32.222","159.198.41.140","69.67.173.153") or srcipaddress IN ("159.198.75.219","159.198.32.222","159.198.41.140","69.67.173.153")

    Detection Query 3 :

    md5hash IN ("07213C419489C02791E8D67B91E404EF","F5C6434EE5F7578FAA3BC1257E1C9226","2DFA1D949872C1B2F04952DD3E5F5D8F","393B498F2114CABC0B29D5FCD9DC6723","0041FD1B2358CD08DBCBC28EA8FC3D20","5D5C3E483C5E544260CE98FC29FBF192","7141917CBA2EEE2B4D31107FACCF3A39","C019797A00FD56EDB1F468AC0A598510","A0EC7A8E61EFF3F445A7455B3AEF9FBB","7DB9C688C620E54E8C69B7E52A7579FB","90378881856ABFA47D7745C0A3EF9DC8","1DBA3E505491A260A44C867902C3296E","1096268FA2B3D454C86CF851CB782319","F2AB09D7E7A375A192508A5014AA2EE4","894332174F536C2E1EFEDA05CBA79F8B","78135F72AB148A0CC074F6B2DD51FFF6","CF74AC018D158EA2C2CFA1B1D71D95BC","C7622A1EFFA27BBFEE6D6E03D6474343","80B7700053E115D65365CE7330383320","6B45DDB39A6E86229348DCBBA3857E7C","006887732CA4A4A46A97989CF4DEEEF6","732C31ACF971A81C7E51B2A3DAE82020","DDFF82A115558584BBD7741D4FFB35B4","8188B2F347B77D65D08CFB23808AC244","E2550CFAD9DCC880BF04F6048F90868C","FD2BDD8047ADDEE6FDE2F532DE181BFD")

    Reference:    

    https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/            


    Tags

    MalwareThreat ActorPhishingInfostealerGovernment Services and FacilitiesEnergyRussiaBrazilKazakhstanCredential HarvestingObfuscationCyber EspionageFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags