AI-Generated Malware Powers New Armored Likho APT Campaign

Pierluigi Paganini July 07, 2026

Armored Likho APT uses AI-generated malware, phishing, and BusySnake Stealer to target governments and power grids in Russia, Kazakhstan, and Brazil.

Kaspersky’s threat research team has documented a previously unknown APT group they’re calling Armored Likho, also tracked under the name Eagle Werewolf. The group runs two parallel tracks: financially motivated attacks against private individuals and targeted espionage against government agencies and electric power organizations in Russia, Kazakhstan, and Brazil.

The combination is unusual. Most groups pick a lane.

The toolkit is modular and actively evolving. Armored Likho deploys obfuscated RATs, a newly documented Python-based infostealer called BusySnake Stealer, and Go2Tunnel for remote access and network tunneling.

“Their toolkit features obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis. Alongside these, they leverage simpler tools like Go2Tunnel for remote access and network tunneling.” states Kaspersky’s report.

“This diverse malware stack enables the threat actor to maintain stealthy control of compromised hosts, exfiltrate credentials and other sensitive information, and dynamically deploy downloadable modules tailored to the victim’s profile and the tasks at hand.”

The attack chain starts with spear-phishing messages. The lure themes range from official government notices to humanitarian aid applications and psychological tests. Attached archives carry either executables or LNK shortcut files with names that match whatever story the email is telling.

The executable variant is a self-extracting archive built with NSIS. It opens a fake psychological survey while injecting a loader into a legitimate process running in memory. That loader pulls down archives from GitHub repositories, including early development builds of the malware, which Kaspersky found during infrastructure analysis. Once downloaded, everything extracts into %appdata%\WindowsHelper, which becomes the malware’s working directory for all subsequent stages.

The LNK variant abuses the ZDI-CAN-25373 shortcut vulnerability, which allows attackers to hide execution parameters using spaces or line breaks in the command field. The victim sees a decoy document. In the background, PowerShell fetches the loader, which then downloads a Python 3.12 interpreter, a pip installer script, and the BusySnake Stealer payload. Both infection paths end up in the same place.

One detail stands out in the loader samples: the source code contains verbose comments and bullet-point emojis. That coding style has no precedent in human-written malware.

“the loader’s source code contains verbose comments and bullet-point emojis. This coding style is highly uncharacteristic of human-developed malware. It strongly indicates that the group is leveraging LLMs to generate their malicious payloads.” continues the report. “Ultimately, both infection vectors lead to the execution of the primary payload, which we break down in detail below.”

Armored Likho APT

Using AI to generate first-stage loaders lets the group vary their TTPs quickly and complicates attribution. It also means each new campaign can look structurally different from the last one without requiring significant development effort.

BusySnake Stealer is a Python-based infostealer protected with PyArmor Pro 9.2.0. It decrypts its bytecode only at the moment a function is called, re-encrypts it immediately after, and runs silently with no console window, indicated by its .pyw extension. Kaspersky successfully stripped the protector and analyzed the underlying functions.

The stealer runs a set of persistent background tasks from the moment of execution. It monitors the clipboard in an infinite loop, appending new content to a keylog file with timestamps. It builds a local SQLite database of the file system, including file paths, sizes, and modification times. During that scan, it specifically looks for 64-character hexadecimal strings, the format used by many cryptocurrency private keys and API secrets, and forwards any matches to the C2 server. Documents from the desktop, downloads, and documents folders are forwarded automatically if they haven’t been sent before and are under 5 MB.

Persistence runs through a VBScript launcher and a scheduled task that fires every five minutes. A single-instance lock prevents multiple copies from running simultaneously, using a non-standard lock-file mechanism rather than a mutex, which makes it harder to detect through standard process enumeration.

The poll_task function keeps an open connection to the C2 server waiting for instructions. The command set covers a lot of ground. Chromium-based browser passwords are decrypted using Windows DPAPI to recover the browser master key, then extracted via SQL query from the login database. Firefox passwords are handled separately: the stealer loads Firefox’s own NSS library, which automatically accesses the key4.db encryption database, and calls PK11SDR_Decrypt to recover credentials without any user interaction, exploiting the fact that Firefox doesn’t require re-authentication to decrypt stored passwords when no master password has been set.

Cookie extraction follows the same pattern, using SQL queries against the browser’s cookie databases. A secondary module, pulled from a GitHub releases page, installs a browser extension that spins up a local web server to capture cookies directly from a running browser session. Other commands cover OTP key scraping by monitoring the clipboard for otpauth:// strings, cryptocurrency wallet file discovery, Telegram session harvesting (which force-kills the Telegram process, archives the session data from %appdata%\Telegram Desktop\tdata, and exfiltrates the compressed archive), and RustDesk credential capture by restarting the remote desktop application and screenshotting the displayed credentials.

The reverse SSH tunneling function, previously handled by the standalone Go2Tunnel tool, is now built directly into BusySnake Stealer. The malware requests tunnel parameters from grked[.]online, receives an SSH private key and command string from the C2, and establishes a persistent reverse tunnel giving the operators interactive access to the compromised host.

Kaspersky also found a more recent version of BusySnake Stealer during infrastructure analysis. The scheduled task creation no longer calls schtasks directly, instead using the Windows COM object Schedule.Service through the win32com.client library. COM-based task creation is harder to detect through behavioral rules that watch for direct schtasks process execution. The new version also adds a deliberate delay before triggering malicious routines, a standard sandbox evasion technique.

“We also observed refinements to the architectural design of BusySnake Stealer. The attackers built a new task-management framework to handle incoming C2 commands. Each task is assigned a unique identifier, and before execution, the stealer checks for the presence of this task in a specified list.” continues the report. “To track execution states in real time, tasks are dynamically assigned one of four operational statuses: SCHEDULED, IN_PROGRESS, SUCCEEDED, or FAILED.”

Kaspersky attributes this campaign to Armored Likho with medium confidence. The group previously used AquilaRAT as a core tool, and the structural overlaps with BusySnake Stealer are specific. Both malware families receive tasks from the C2 server and handle them through dedicated functions. Both use similar endpoint formats for reporting task execution status back to the server. Both establish persistence through scheduled tasks that mimic legitimate Microsoft utilities: AquilaRAT uses the name MicrosoftOfficeUpdate, BusySnake Stealer uses WindowsHelper.

The reverse tunneling connection is equally specific. Go2Tunnel and BusySnake Stealer both receive tunnel establishment commands and SSH private keys from the C2 server, make requests to similar endpoints, and initiate their tunnels using SSH commands with an identical argument set. As the report states:

“An analysis of Armored Likho’s campaigns over the past few months shows a trend toward using AI tools to generate first-stage payloads, as indicated by redundant comments and code blocks. This allows the group to broaden its available attack vectors.” concludes the report. “At the time of writing, Armored Likho remains highly active. Despite the evolution of their malware variants and their efforts to obfuscate their TTPs, we continue to closely monitor the group’s footprint and detect emerging campaigns.”

Confirmed victims span Russia, Kazakhstan, and Brazil, with the focus on government and electric power infrastructure. The campaign remains active at the time of publication. Kaspersky’s detection products flag the LNK downloader at the point it executes via rundll32.exe, before the PowerShell chain retrieves the second-stage payload. C2 infrastructure resolves to 159.198.41.140, with tunneling routed through 159.198.32[.]222, and the domain grked[.]online handling tunnel configuration requests.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Armored Likho APT)



you might also like

leave a comment