Researchers at Kaspersky have uncovered a previously undocumented threat actor dubbed Armored Likho, which is actively targeting government agencies and electric power sector organizations across Russia, Brazil, and Kazakhstan. The group blends financially motivated campaigns against private individuals with targeted cyber espionage operations, according to a technical analysis published today.

The campaign's dual nature sets it apart from typical state-sponsored or purely criminal groups. While the exact scale of compromise remains unclear, the geographic spread across three continents suggests a sophisticated operational capability. Kaspersky did not disclose specific CVEs or infection counts in its initial report.

Armored Likho deploys a custom information stealer called BusySnake to exfiltrate sensitive data from compromised systems. The malware's capabilities and delivery mechanisms have not been fully detailed, but the targeting of critical infrastructure and government networks indicates a high level of intent to disrupt or surveil high-value targets.

No patches or specific mitigation steps have been publicly released, as the group's tools and tactics are still under active analysis. Organizations in the affected sectors and regions are advised to review network logs for unusual activity and harden defenses against spear-phishing campaigns.

Attribution for Armored Likho remains unclear. The actor's operational security and the lack of publicly known ties to any nation-state make it difficult to assign responsibility, though the targeting pattern aligns with both cyber espionage and financially motivated threat landscapes.