A named threat cluster is being tracked against government and power-sector targets, with modular remote-access malware and infostealers pointing to a campaign built for reuse, not just one-off intrusion.
A phishing-led intrusion chain tied to the Armored Likho label shows how a stealer, scheduled-task persistence, and covert tunneling can turn one inbox click into a durable access problem.
A newly named cluster tied to government and power-sector targeting shows how credential theft, tunneling, and persistence can be fused into one access pipeline.