Cyber Threat Brief — July 6 2026
⚠️ This report is AI-generated. Always validate findings.
1. Armored Likho APT Deploys BusySnake Stealer — CVE-2025-9491
TL;DR: Previously undocumented APT group “Armored Likho” (overlaps BI.ZONE’s Eagle Werewolf) is targeting government and energy sector orgs in Russia, Brazil, and Kazakhstan with BusySnake Stealer — a PyArmor-obfuscated Python infostealer with built-in reverse SSH tunneling. LLM-generated first-stage loaders show AI-assisted malware development in the wild.
What’s New:
- Kaspersky Securelist published full analysis July 3; IOC set with 41 indicators
- Delivery via spear-phishing: NSIS EXE droppers or malicious
.lnkfiles exploiting ZDI-CAN-25373 (CVE-2025-9491) to hide command-line args - BusySnake persists via
WindowsHelperscheduled task (5-min interval), staging in%APPDATA%\WindowsHelper\ - Steals Chromium + Firefox credentials/cookies, Telegram sessions, crypto wallets; new version uses
Schedule.ServiceCOM object instead ofschtasks.exeto evade detection - AI-generated loaders identified by verbose inline comments, bullet-point emojis in source, redundant code blocks
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
WindowsHelper scheduled task (5-min interval) | Persistence | T1053.005 | Sysmon EID 1, Windows Task Scheduler | Hunt for schtasks creating WindowsHelper or Schedule.Service COM task creation |
%APPDATA%\WindowsHelper\ staging dir | File IOC | T1074.001 | Sysmon EID 11, EDR | Alert on file creation in this path |
module.pyw / run.vbs / wh_selfdelete.vbs | File IOC | T1059.006 | Sysmon EID 1,11 | Hunt for .pyw execution via pythonw.exe |
inventory_state.db in WindowsHelper | Stealer artifact | T1005 | EDR file monitoring | Presence = confirmed compromise |
C2: winupdate[.]live, arvax[.]xyz, varenie[.]live, lvl99[.]store, onetoken[.]ink | C2 domains | T1071.001 | DNS, proxy logs | Block and hunt |
MD5 C7622A1EFFA27BBFEE6D6E03D6474343 | BusySnake Stealer | T1059.006 | AV/EDR | Block hash |
MD5 80B7700053E115D65365CE7330383320 | BusySnake v2 | T1059.006 | AV/EDR | Block hash |
MD5 7141917CBA2EEE2B4D31107FACCF3A39 | EXE stager | T1204.002 | AV/EDR | Block hash |
MD5 393B498F2114CABC0B29D5FCD9DC6723 | Malicious LNK | T1204.002 | Sysmon EID 1 | Block hash |
| Reverse SSH tunnel via C2-provided private key | Lateral movement | T1572 | Network, EDR | Alert on ssh.exe spawned by Python/VBS with -R flag |
| PowerShell downloading from GitHub repos | Delivery | T1059.001 | PowerShell logging (4104) | Hunt for PS downloading python.zip, get-pip.py |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for WindowsHelper scheduled task, PYW execution, or Schedule.Service COM persistence |
| Elastic | Suspicious DLL Loaded via Side-Loading (generic) | No BusySnake-specific rule; need PYW/pythonw.exe execution + WindowsHelper path correlation |
| Sigma | proc_creation_win_schtasks_creation.yml (generic) | No rule for Schedule.Service COM object task creation bypass; need PyArmor runtime detection |
Sources: Kaspersky Securelist, The Hacker News, GBHackers
Status Updates
- CVE-2026-45659 (SharePoint RCE): Federal deadline passed July 4. Storm-2603/Warlock ransomware attributed. Post-exploitation uses Velociraptor, Cloudflare tunnels, Zoho Assist, VSCode SSH. No public PoC or IOC hashes yet. Original brief.
- CVE-2026-48282 (Adobe ColdFusion): Active exploitation within hours of watchTowr writeup. Attacker IP
103.207.14[.]220. NHS England confirms exploitation. Patch to CF2025 Update 10 / CF2023 Update 21. Original brief. - CVE-2026-8451 (Citrix CitrixBleed∞): Active exploitation ongoing from
146.70.139[.]154(M247/AS9009). Upgrade to 14.1-72.61+ or 13.1-63.18+. Original brief. - CVE-2026-8037 (Kemp LoadMaster): Active exploitation confirmed since June 29 per eSentire TRU. Upgrade to GA v7.2.63.2 / LTSF v7.2.54.18. Original brief.
- JADEPUFFER (Agentic Ransomware): First documented LLM-driven ransomware operation. C2
45.131.66[.]106. No new artifacts since July 4 disclosure. Original brief. - ChocoPoC (Trojanized PoC repos): Malware and C2 servers still live per Sekoia/YesWeHack. Do not run any of the 7 identified repos. Check for
frint,skytext,slogsec,logcrypt.cryptographypackages. Original brief.