Armored Likho: the newly-named hacking crew hitting power grids and government offices
Russian security firm Kaspersky says the group mixes espionage against big institutions with money-driven attacks on ordinary people.

Key points
- Kaspersky named a previously unknown hacking group called Armored Likho in a technical report published this week.
- The group has attacked government agencies and electric power companies in Russia, Brazil and Kazakhstan.
- Armored Likho mixes two goals in one operation: spying on organisations and stealing money from private individuals.
- The crew is using a piece of data-stealing software known as BusySnake to grab passwords and files from infected computers.
There is a new name on the board, and it is worth paying attention to.
Russian antivirus company Kaspersky says it has been tracking a hacking group nobody had publicly documented before. They are calling it Armored Likho. In a report out this week, the company says the crew has been breaking into government offices and electricity companies across three countries: Russia, Brazil and Kazakhstan.
What makes this group unusual is not the tools. It is the mix of motives.
Most hacking crews pick a lane. Some chase money by robbing individuals. Others do espionage — quietly sitting inside big organisations to steal secrets on behalf of a government or a rival. Armored Likho, according to Kaspersky, does both at the same time.
Who is being hit, and what are the hackers after?
The targets fall into two very different buckets. On one side: government departments and electric power firms — the kind of places a spy agency would want a foothold inside. On the other: regular people, whose bank logins and personal files can be sold or drained directly.
Kaspersky says the group is deploying a piece of malicious software, meaning a program built to do harm, called BusySnake. It is what the industry calls a stealer — software that quietly copies passwords saved in your browser, cryptocurrency wallet files, and documents, then ships them back to the attackers.
Stealers are not new. They are the crowbar of the modern criminal underground. What matters here is who is holding the crowbar and where they are pointing it.
Why does this matter to ordinary people?
If you live in Brazil, Kazakhstan or Russia and you work for a government body or an energy company, your employer's security team should already be reading Kaspersky's write-up. That is their job today.
For everyone else, the practical concern is the same as it has been for years. A stealer on your home computer will happily empty a savings account or hand over your email password to whoever pays for it. The infection routes are almost always the same boring ones: a booby-trapped attachment, a cracked piece of software downloaded from a shady site, or a fake login page linked from a convincing email.
Turn on two-factor authentication — the second code your bank or email sends to your phone — on anything that holds money or personal data. That one step defeats most stolen passwords.
How confident should we be in the attribution?
Carefully confident, and no more.
As The Hacker News noted in its own coverage, Armored Likho is a fresh label. Kaspersky is the outfit naming it, and Kaspersky is a Russian company reporting on attacks that include Russian victims. That is not a reason to dismiss the research. It is a reason to wait for a second security firm to look at the same samples and either agree or push back.
Naming a new group is the easy part. Proving the same hands are behind every attack listed under that name takes months of patient work.
For now, treat Armored Likho as a useful bucket. A crew worth watching. Not yet a household name in the way Lazarus or Sandworm are, but the sort of operation that becomes one if the reporting holds up.



