Armored Likho APT Hits Power Grids With AI-Generated Malware
New threat group Armored Likho targets government agencies and power sectors in Russia, Brazil, and Kazakhstan using BusySnake Stealer—malware with AI-generated loader code and reverse SSH tunneling capabilities.
Kaspersky researchers documented a previously unknown threat group dubbed Armored Likho conducting targeted attacks against government agencies and electric power sector organizations across Russia, Brazil, and Kazakhstan. The group deploys a custom Python-based infostealer called BusySnake, with notable evidence of AI-assisted malware development.
Armored Likho Profile
The threat actor first appeared in Kaspersky's telemetry in early 2026, though overlapping indicators suggest possible connections to Eagle Werewolf, a group tracked by BI.ZONE since May 2023. Attribution remains tentative—Kaspersky notes "medium confidence" based on circumstantial evidence rather than definitive proof.
Primary targets include government agencies handling defense and UAV development, as well as electric power utilities. The geographic spread across three continents suggests either broad nation-state collection requirements or a financially motivated operation masquerading as espionage.
BusySnake Stealer Capabilities
BusySnake is a modular Python-based infostealer targeting Windows systems. Its capabilities include:
- Credential theft: Extracts saved passwords from Chromium and Firefox browsers
- Session hijacking: Harvests cookies, OTP codes, and Telegram session data
- Cryptocurrency targeting: Scans for wallet files across common locations
- System reconnaissance: Screenshots, keystroke logging, file enumeration
- Persistent access: Establishes reverse SSH tunnels via Go2Tunnel integration
- Remote desktop: Deploys RustDesk for hands-on-keyboard access
The malware maintains persistence through VBScript files and scheduled tasks created via COM object interaction—a technique that avoids the more commonly monitored schtasks.exe command-line utility.
Multiple BusySnake versions exist, including a dedicated cookie-stealing module, indicating active development and refinement of the toolset.
AI Fingerprints in Malware Development
Kaspersky identified signs of AI-generated code in Armored Likho's first-stage loaders. The telltale patterns include verbose inline comments, bullet-point emojis in source code, and redundant code blocks—stylistic artifacts consistent with LLM output.
This matches the broader trend of AI-assisted threat development we've tracked throughout 2026. The JadePuffer ransomware operation demonstrated fully autonomous LLM-orchestrated attacks, while Armored Likho appears to use AI for code generation rather than end-to-end automation.
The approach offers attackers faster development cycles and polymorphic code that varies between samples, complicating signature-based detection.
Attack Chain
Armored Likho reaches victims through carefully crafted spear-phishing emails. Lures include:
- Official government notices
- Humanitarian aid applications
- Industry-specific documentation
Payloads arrive as RAR archives containing executable droppers or Windows shortcut (LNK) files exploiting CVE-2025-9491, a vulnerability Microsoft patched in November 2025. The LNK files launch obfuscated PowerShell commands that display decoy documents while staging the BusySnake payload.
Malware components are hosted on GitHub repositories, blending command-and-control traffic with legitimate developer platform activity.
Infrastructure and Attribution Challenges
The group maintains operational security through:
- Compromised Telegram channels for malware distribution
- GitHub-hosted payload components
- Go2Tunnel reverse SSH tunnels for C2
- AquilaRAT deployment overlapping with Eagle Werewolf indicators
The tool polymorphism and evolving techniques suggest an organized operation with resources for sustained development.
Defense Recommendations
Organizations in the government and energy sectors—particularly those operating in the targeted countries—should:
- Hunt for indicators: Search for BusySnake artifacts including Go2Tunnel processes and RustDesk deployments
- Block GitHub raw content: Consider blocking raw.githubusercontent.com access from production systems
- Monitor scheduled tasks: Alert on COM-based task creation that bypasses schtasks.exe
- Patch CVE-2025-9491: Ensure the November 2025 Windows update addressing the LNK vulnerability is deployed
Why This Matters
Critical infrastructure targeting by well-resourced threat actors with AI-assisted development capabilities represents an escalating threat. The geographic spread of Armored Likho's operations suggests either state-sponsored collection against multiple nations or sophisticated criminal activity.
For readers interested in the history of infrastructure-targeting operations, our cybersecurity books resource includes detailed accounts of Sandworm's attacks on Ukrainian power grids and other nation-state cyber operations.
Related Articles
GREYVIBE APT Uses ChatGPT and Gemini to Target Ukraine
Russian-linked GREYVIBE threat actor deploys AI-generated malware including PhantomRelay and LegionRelay against Ukrainian military and government targets. WithSecure analysis reveals the group's OPSEC failures.
May 30, 2026MuddyWater Deploys Dindoor Backdoor Against US Bank, Airport
Iranian APT group breaches US critical infrastructure using novel Dindoor malware built on Deno runtime. Symantec links campaign to MOIS.
Mar 12, 2026Iran-Linked Dust Specter APT Deploys AI-Assisted Malware Against Iraq
Zscaler uncovers Dust Specter campaign targeting Iraqi government officials with novel SPLITDROP and GHOSTFORM malware. Evidence suggests AI-assisted development.
Mar 7, 2026North Korea's Konni APT Deploys AI-Built Malware Against Devs
Check Point uncovers Konni campaign using AI-generated PowerShell backdoors to target blockchain developers across Asia-Pacific. Marks shift from diplomatic espionage.
Jan 26, 2026