Meet BusySnake: The Stealthy Malware Quietly Raiding Government Networks

A newly discovered hacking group is hitting government offices and critical services in three countries with a cunning piece of spy software. Here is what it does and who is at risk.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge
Share

Key points

  • Kaspersky, a cybersecurity research firm, identified a previously unknown hacking group called "Armored Likho" targeting government agencies and critical infrastructure organisations in Russia, Brazil, and Kazakhstan.
  • The group's main weapon is a custom piece of spy software, dubbed "BusySnake Stealer", capable of lifting passwords, encryption keys, and Telegram session data from infected computers.
  • Armored Likho sent fake emails disguised as official government or social-assistance documents to trick staff into opening malicious files.
  • Kaspersky researchers found code patterns suggesting the group used AI tools, specifically large language models, to help write early-stage parts of the malware.
  • Kaspersky has published indicators of compromise, meaning technical fingerprints organisations can use to check whether BusySnake is already present on their systems.

A hacking group nobody had documented before has been quietly breaking into government computers and critical service networks across three countries, carrying off passwords, private messages, and cryptographic keys, which are the digital codes that protect sensitive data. The group, which security researchers at Kaspersky are calling "Armored Likho", was first reported by Dark Reading.

The attacks begin with a spear-phishing email, where criminals send a highly personalised fake message designed to look like it came from a trusted official source. Some lures pretended to be psychological assessments. Others posed as humanitarian-aid applications or debt-clearance certificates.

How did the hackers actually get in?

Victims opened an email attachment and got a convincing-looking document or survey. That was the distraction. In the background, hidden software was already installing itself.

The final payload is BusySnake Stealer, a custom-built programme written in Python, a common programming language. Once running, it hoovers up passwords and cookies saved in browsers, clipboard contents (anything you have copied and not yet pasted), Telegram login sessions, and authentication data. Authentication data is the information an app uses to confirm you are who you say you are.

BusySnake can also open a persistent back door, giving the criminals ongoing remote access to the infected machine long after the first break-in.

Kaspersky found the malware uses a commercial encryption tool called PyArmor Pro to scramble its own code, decrypting each function only for the split second it needs to run, then re-scrambling it immediately. That makes it extremely hard for security software to analyse. The malware also runs silently, with no visible window, and buries its own networking code internally so it leaves fewer traces.

One detail stands out. Kaspersky says the coding style in the early-stage components suggests the group used AI tools, specifically large language models like the kind that power popular chat assistants, to generate parts of the malware. Redundant comments and unnecessary code blocks are a known side-effect of AI-generated code. If confirmed at scale, that is a meaningful shift: it means groups with modest coding skills can now produce polished attack tools faster than before.

Kaspersky has not linked Armored Likho to any specific government or nation state.

If you work in a government office, a hospital, a utility company, or any organisation that handles public services, the practical steps are straightforward. Do not open attachments from unexpected emails, even if the sender appears official. Report anything that feels slightly off to your IT or security team. Adding a second layer of login verification, called multi-factor authentication, where you confirm your identity via a separate device, would not have stopped BusySnake once installed, but it limits how far stolen passwords alone can travel.

© 2026 Threat Vectr