PROBABLYPWNED
Threat IntelligenceJuly 6, 20263 min read

Armored Likho APT Hits Power Grids With AI-Generated Malware

New threat group Armored Likho targets government agencies and power sectors in Russia, Brazil, and Kazakhstan using BusySnake Stealer—malware with AI-generated loader code and reverse SSH tunneling capabilities.

Alex Kowalski

Kaspersky researchers documented a previously unknown threat group dubbed Armored Likho conducting targeted attacks against government agencies and electric power sector organizations across Russia, Brazil, and Kazakhstan. The group deploys a custom Python-based infostealer called BusySnake, with notable evidence of AI-assisted malware development.

Armored Likho Profile

The threat actor first appeared in Kaspersky's telemetry in early 2026, though overlapping indicators suggest possible connections to Eagle Werewolf, a group tracked by BI.ZONE since May 2023. Attribution remains tentative—Kaspersky notes "medium confidence" based on circumstantial evidence rather than definitive proof.

Primary targets include government agencies handling defense and UAV development, as well as electric power utilities. The geographic spread across three continents suggests either broad nation-state collection requirements or a financially motivated operation masquerading as espionage.

BusySnake Stealer Capabilities

BusySnake is a modular Python-based infostealer targeting Windows systems. Its capabilities include:

  • Credential theft: Extracts saved passwords from Chromium and Firefox browsers
  • Session hijacking: Harvests cookies, OTP codes, and Telegram session data
  • Cryptocurrency targeting: Scans for wallet files across common locations
  • System reconnaissance: Screenshots, keystroke logging, file enumeration
  • Persistent access: Establishes reverse SSH tunnels via Go2Tunnel integration
  • Remote desktop: Deploys RustDesk for hands-on-keyboard access

The malware maintains persistence through VBScript files and scheduled tasks created via COM object interaction—a technique that avoids the more commonly monitored schtasks.exe command-line utility.

Multiple BusySnake versions exist, including a dedicated cookie-stealing module, indicating active development and refinement of the toolset.

AI Fingerprints in Malware Development

Kaspersky identified signs of AI-generated code in Armored Likho's first-stage loaders. The telltale patterns include verbose inline comments, bullet-point emojis in source code, and redundant code blocks—stylistic artifacts consistent with LLM output.

This matches the broader trend of AI-assisted threat development we've tracked throughout 2026. The JadePuffer ransomware operation demonstrated fully autonomous LLM-orchestrated attacks, while Armored Likho appears to use AI for code generation rather than end-to-end automation.

The approach offers attackers faster development cycles and polymorphic code that varies between samples, complicating signature-based detection.

Attack Chain

Armored Likho reaches victims through carefully crafted spear-phishing emails. Lures include:

  • Official government notices
  • Humanitarian aid applications
  • Industry-specific documentation

Payloads arrive as RAR archives containing executable droppers or Windows shortcut (LNK) files exploiting CVE-2025-9491, a vulnerability Microsoft patched in November 2025. The LNK files launch obfuscated PowerShell commands that display decoy documents while staging the BusySnake payload.

Malware components are hosted on GitHub repositories, blending command-and-control traffic with legitimate developer platform activity.

Infrastructure and Attribution Challenges

The group maintains operational security through:

  • Compromised Telegram channels for malware distribution
  • GitHub-hosted payload components
  • Go2Tunnel reverse SSH tunnels for C2
  • AquilaRAT deployment overlapping with Eagle Werewolf indicators

The tool polymorphism and evolving techniques suggest an organized operation with resources for sustained development.

Defense Recommendations

Organizations in the government and energy sectors—particularly those operating in the targeted countries—should:

  1. Hunt for indicators: Search for BusySnake artifacts including Go2Tunnel processes and RustDesk deployments
  2. Block GitHub raw content: Consider blocking raw.githubusercontent.com access from production systems
  3. Monitor scheduled tasks: Alert on COM-based task creation that bypasses schtasks.exe
  4. Patch CVE-2025-9491: Ensure the November 2025 Windows update addressing the LNK vulnerability is deployed

Why This Matters

Critical infrastructure targeting by well-resourced threat actors with AI-assisted development capabilities represents an escalating threat. The geographic spread of Armored Likho's operations suggests either state-sponsored collection against multiple nations or sophisticated criminal activity.

For readers interested in the history of infrastructure-targeting operations, our cybersecurity books resource includes detailed accounts of Sandworm's attacks on Ukrainian power grids and other nation-state cyber operations.

Related Articles