Cyber Threat Brief — July 6 2026

⚠️ This report is AI-generated. Always validate findings.

1. Armored Likho APT Deploys BusySnake Stealer — CVE-2025-9491

TL;DR: Previously undocumented APT group “Armored Likho” (overlaps BI.ZONE’s Eagle Werewolf) is targeting government and energy sector orgs in Russia, Brazil, and Kazakhstan with BusySnake Stealer — a PyArmor-obfuscated Python infostealer with built-in reverse SSH tunneling. LLM-generated first-stage loaders show AI-assisted malware development in the wild.

What’s New:

  • Kaspersky Securelist published full analysis July 3; IOC set with 41 indicators
  • Delivery via spear-phishing: NSIS EXE droppers or malicious .lnk files exploiting ZDI-CAN-25373 (CVE-2025-9491) to hide command-line args
  • BusySnake persists via WindowsHelper scheduled task (5-min interval), staging in %APPDATA%\WindowsHelper\
  • Steals Chromium + Firefox credentials/cookies, Telegram sessions, crypto wallets; new version uses Schedule.Service COM object instead of schtasks.exe to evade detection
  • AI-generated loaders identified by verbose inline comments, bullet-point emojis in source, redundant code blocks

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
WindowsHelper scheduled task (5-min interval)PersistenceT1053.005Sysmon EID 1, Windows Task SchedulerHunt for schtasks creating WindowsHelper or Schedule.Service COM task creation
%APPDATA%\WindowsHelper\ staging dirFile IOCT1074.001Sysmon EID 11, EDRAlert on file creation in this path
module.pyw / run.vbs / wh_selfdelete.vbsFile IOCT1059.006Sysmon EID 1,11Hunt for .pyw execution via pythonw.exe
inventory_state.db in WindowsHelperStealer artifactT1005EDR file monitoringPresence = confirmed compromise
C2: winupdate[.]live, arvax[.]xyz, varenie[.]live, lvl99[.]store, onetoken[.]inkC2 domainsT1071.001DNS, proxy logsBlock and hunt
MD5 C7622A1EFFA27BBFEE6D6E03D6474343BusySnake StealerT1059.006AV/EDRBlock hash
MD5 80B7700053E115D65365CE7330383320BusySnake v2T1059.006AV/EDRBlock hash
MD5 7141917CBA2EEE2B4D31107FACCF3A39EXE stagerT1204.002AV/EDRBlock hash
MD5 393B498F2114CABC0B29D5FCD9DC6723Malicious LNKT1204.002Sysmon EID 1Block hash
Reverse SSH tunnel via C2-provided private keyLateral movementT1572Network, EDRAlert on ssh.exe spawned by Python/VBS with -R flag
PowerShell downloading from GitHub reposDeliveryT1059.001PowerShell logging (4104)Hunt for PS downloading python.zip, get-pip.py

Detection

SourceRuleGap
Splunk ESCUNoneNo rule for WindowsHelper scheduled task, PYW execution, or Schedule.Service COM persistence
ElasticSuspicious DLL Loaded via Side-Loading (generic)No BusySnake-specific rule; need PYW/pythonw.exe execution + WindowsHelper path correlation
Sigmaproc_creation_win_schtasks_creation.yml (generic)No rule for Schedule.Service COM object task creation bypass; need PyArmor runtime detection

Sources: Kaspersky Securelist, The Hacker News, GBHackers


Status Updates

  • CVE-2026-45659 (SharePoint RCE): Federal deadline passed July 4. Storm-2603/Warlock ransomware attributed. Post-exploitation uses Velociraptor, Cloudflare tunnels, Zoho Assist, VSCode SSH. No public PoC or IOC hashes yet. Original brief.
  • CVE-2026-48282 (Adobe ColdFusion): Active exploitation within hours of watchTowr writeup. Attacker IP 103.207.14[.]220. NHS England confirms exploitation. Patch to CF2025 Update 10 / CF2023 Update 21. Original brief.
  • CVE-2026-8451 (Citrix CitrixBleed∞): Active exploitation ongoing from 146.70.139[.]154 (M247/AS9009). Upgrade to 14.1-72.61+ or 13.1-63.18+. Original brief.
  • CVE-2026-8037 (Kemp LoadMaster): Active exploitation confirmed since June 29 per eSentire TRU. Upgrade to GA v7.2.63.2 / LTSF v7.2.54.18. Original brief.
  • JADEPUFFER (Agentic Ransomware): First documented LLM-driven ransomware operation. C2 45.131.66[.]106. No new artifacts since July 4 disclosure. Original brief.
  • ChocoPoC (Trojanized PoC repos): Malware and C2 servers still live per Sekoia/YesWeHack. Do not run any of the 7 identified repos. Check for frint, skytext, slogsec, logcrypt.cryptography packages. Original brief.