The Armored Likho APT group deploys a previously undocumented Python-based infostealer called BusySnake Stealer against government agencies and electric power sector organizations in Russia, Brazil, and Kazakhstan. The malware uses PyArmor Pro obfuscation, AI-generated first-stage loaders hosted on GitHub, and a modular C2 architecture to steal browser credentials, cookies, cryptocurrency wallets, 2FA secrets, Telegram data, and screenshots. The campaign demonstrates evolving TTPs including in-memory Python script execution, COM-based scheduled task persistence, and integrated reverse SSH tunneling that receives keys directly from the C2 server.