News·4 min read

BusySnake Stealer Targets Browser Passwords, Cookies, Telegram Sessions, and Crypto Keys

BusySnake Stealer, a previously undocumented Python-based infostealer actively deployed by an emerging APT we track as Armored Likho (aka Eagle Werewolf). BusySnake is purpose-built for Windows and en

CS
CyberShield Team
2026-07-04
Share:
BusySnake Stealer Targets Browser Passwords, Cookies, Telegram Sessions, and Crypto Keys

BusySnake Stealer, a previously undocumented Python-based infostealer actively deployed by an emerging APT we track as Armored Likho (aka Eagle Werewolf). BusySnake is purpose-built for Windows and engineered to harvest high-value secrets: browser-stored passwords and cookies, Telegram desktop sessions, clipboard contents, system screenshots, and cryptocurrency keys and wallet files. Its modular design, stealthy runtime protections […] The post BusySnake Stealer Targets Browser Passwords, Cookies, Telegram Sessions, and Crypto Keys appeared first on Cyber Security News.

BusySnake Stealer, a previously undocumented Python-based infostealer actively deployed by an emerging APT we track as Armored Likho (aka Eagle Werewolf). BusySnake is purpose-built for Windows and engineered to harvest high-value secrets: browser-stored passwords and cookies, Telegram desktop sessions, clipboard contents, system screenshots, and cryptocurrency keys and wallet files. Its modular design, stealthy runtime protections and use of automated first-stage loaders indicate a threat actor that blends financially motivated theft with targeted espionage against government and critical infrastructure, notably the electric power sector across Russia, Brazil and Kazakhstan. Infections begin with convincing spear-phishing lures faux government notices and humanitarian forms delivered as archives that contain either NSIS-built EXE droppers or weaponized LNK shortcuts. The EXE variant extracts a legitimate-looking helper binary, injects code to run a loader, and then pulls a staged archive from attacker-controlled GitHub repositories. The LNK variant abuses a documented shortcut-handling flaw to hide execution parameters and launches an obfuscated PowerShell chain to fetch the same loader. Both vectors deploy an embedded Python 3.12 runtime, PyArmor-protected bytecode, and automated pip installation to prepare the environment for the BusySnake payload. According to Securelist, BusySnake’s protections are notable: authors used PyArmor Pro to encrypt bytecode and implemented on-call decryption where functions are decrypted only at invocation and immediately re-encrypted, complicating static analysis and sandbox detection. The stealer runs as a .pyw background process with no console to avoid user visibility. BusySnake Stealer malware The malware enforces single-instance execution via a non-standard lock-file algorithm, then spawns multiple background handlers that perform discrete tasks clipboard scraping, file-system inventory and prioritized document exfiltration, screenshot capture and archiving, and continuous polling of a command-and-control (C2) endpoint. Stealer configuration example (Source : Securelist). Technical capabilities map directly to attacker objectives. Password extraction routines decrypt credentials from Chromium-based browsers using Windows DPAPI, and from Firefox via PK11SDR_Decrypt calls. Cookie collection works through direct DB access and, in some versions, by stealthily installing a browser extension to harvest session cookies. Telegram harvesting is comprehensive: BusySnake locates the APPDATA/Telegram Desktop/tdata store, force-terminates Telegram to ensure file consistency, stages session files, compresses them and ships the archive to C2 enabling account takeover without needing passwords. The poll_task function polls the C2 server in a continuous loop for new commands. Below is an excerpt of a typical request packet. C2 administration panel sign-in form (Source : Securelist). The stealer also scans files for 64-character hex strings consistent with private keys, searches for wallet JSON files, and logs OTP secrets when otpauth:// URIs are observed, often by monitoring clipboard content. The campaign exhibits several modern trends: polymorphic toolchains, automated code generation in loaders (including evidence of LLM-assisted code to obfuscate TTPs), and use of public artifact hosting for dynamic payload distribution. Armored Likho complements BusySnake with auxiliary tooling such as Go2Tunnel for tunneling and remote access capabilities like RustDesk installation or reverse SSH proxies created on demand. The C2 protocol is simple and persistent periodic GET requests transmit client identifiers and retrieve function names to execute enabling flexible, remote-driven tasking. Operationally, the group’s targeting pattern and infrastructure rotation point to an adversary comfortable mixing broad credential theft with targeted reconnaissance of high-value sectors. Defenders should prioritize detection of unusual NSIS installers, anomalous LNK execution chains, staged Python runtimes under %APPDATA% directories (for example WindowsHelper), and scheduled tasks executing VBScript launchers every five minutes. Incident responders who find BusySnake indicators must assume credential and session compromise, perform full password resets with out-of-band reauthentication, revoke Telegram sessions, and inspect endpoints for additional remote-access implants and exfiltration artifacts. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. The post BusySnake Stealer Targets Browser Passwords, Cookies, Telegram Sessions, and Crypto Keys appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.