Armored Likho: LLM-Generated Malware Targeting Critical Infrastructure in Russia, Kazakhstan, Brazil
Date: 2026-07-10
Tags: nation-state, malware, apt
Executive Summary
Kaspersky identified Armored Likho (also tracked as Eagle Werewolf), an APT group using large language models to generate first-stage loader code, identified through verbose inline comments, bullet-point emoji, and redundant code blocks consistent with LLM output. The group runs two parallel tracks: financially motivated attacks against private individuals and targeted espionage against government agencies and electric power organizations in Russia, Kazakhstan, and Brazil. AI-generated code erases traditional stylistic fingerprints used for threat attribution, with CrowdStrike documenting an 89% increase in AI-enabled attacks in 2025.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Armored Likho / Eagle Werewolf |
| Attribution | Armored Likho (probable state-adjacent or state-linked Russian/CIS actor) (confidence: high) |
| Target | Government agencies and electric power operators in Russia, Kazakhstan, and Brazil; private individuals globally |
| Vector | Spear-phishing with CVE-2025-9491 (Windows LNK vulnerability); BusySnake stealer with PyArmor Pro obfuscation |
| Status | active |
| First Observed | 2026-07-04 (disclosure date; campaign activity ongoing) |
Detailed Findings
Kaspersky's analysis found evidence that Armored Likho used large language models to generate its first-stage loader code, with the presence of verbose inline comments, bullet-point emoji, and redundant code blocks consistent with LLM output. The operational consequence is that AI-generated code erases the stylistic fingerprints that threat intelligence analysts traditionally use to link new malware samples to known threat groups, buying the attacker time and complicating any legal or diplomatic response.
BusySnake Stealer is a Python-based infostealer protected with PyArmor Pro 9.2.0 that decrypts its bytecode only at the moment a function is called and runs silently with no console window. A more recent version of BusySnake Stealer uses the Windows COM object Schedule.Service through the win32com.client library instead of calling schtasks directly, making it harder to detect through behavioral rules.
CrowdStrike's Global Threat Report 2026 found an 89% increase in AI-enabled attacks in 2025; Armored Likho's use of this technique specifically for attribution evasion represents a documented escalation of the tactic beyond commodity cybercrime into state-level (or state-adjacent) espionage.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Malware Development | T1587.001 | Using LLM to generate obfuscated malware code |
| Exploit Public-Facing Application | T1190 | Exploiting CVE-2025-9491 in Windows LNK files via spear-phishing |
| Indicator Removal | T1070 | AI-generated code patterns erase stylistic attribution fingerprints |
IOCs
Domains
_No specific IOCs published; campaign identified through code-style analysis and behavioral attributes of BusySnake stealer. Source: Kaspersky threat research._
Full URL Paths
_No specific IOCs published; campaign identified through code-style analysis and behavioral attributes of BusySnake stealer. Source: Kaspersky threat research._
Splunk Format
_No IOCs available for Splunk query_
Affected Platforms
Windows
macOS
Detection Recommendations
Monitor for BusySnake stealer samples via behavioral analysis of COM-based task scheduling (Schedule.Service) rather than schtasks.exe process execution. Analyze PowerShell and Python loader code for characteristics typical of LLM generation: verbose comments with emoji, redundant control flow, and atypical variable naming patterns. Cross-reference code style anomalies with LLM fingerprints (Arctic Wolf Labs documented >22,000 files with similar patterns from Feb 2025–Feb 2026). Implement YARA rules targeting PyArmor Pro 9.2.0 bytecode decryption patterns. Network detection should flag credential exfiltration patterns consistent with infostealer post-exploitation.
References
- [Kaspersky] New APT Group Hits Power Grids in Three Countries with AI-Crafted Malware (2026-07-04) — https://www.techtimes.com/articles/319680/20260704/new-apt-group-hits-power-grids-three-countries-ai-crafted-malware.htm
- [SecurityAffairs] AI-Generated Malware Powers New Armored Likho APT Campaign (2026-07-07) — https://securityaffairs.com/194854/apt/ai-generated-malware-powers-new-armored-likho-apt-campaign.html
- [Kaspersky] Armored Likho: AI-Enabled Espionage Against Critical Infrastructure (2026-07-04) — https://www.kaspersky.com/about/press-releases/2026/armored-likho-apt