← Back to feed

Armored Likho: LLM-Generated Malware Targeting Critical Infrastructure in Russia, Kazakhstan, Brazil

Date: 2026-07-10
Tags: nation-state, malware, apt

Executive Summary

Kaspersky identified Armored Likho (also tracked as Eagle Werewolf), an APT group using large language models to generate first-stage loader code, identified through verbose inline comments, bullet-point emoji, and redundant code blocks consistent with LLM output. The group runs two parallel tracks: financially motivated attacks against private individuals and targeted espionage against government agencies and electric power organizations in Russia, Kazakhstan, and Brazil. AI-generated code erases traditional stylistic fingerprints used for threat attribution, with CrowdStrike documenting an 89% increase in AI-enabled attacks in 2025.

Campaign Summary

FieldDetail
Campaign / MalwareArmored Likho / Eagle Werewolf
AttributionArmored Likho (probable state-adjacent or state-linked Russian/CIS actor) (confidence: high)
TargetGovernment agencies and electric power operators in Russia, Kazakhstan, and Brazil; private individuals globally
VectorSpear-phishing with CVE-2025-9491 (Windows LNK vulnerability); BusySnake stealer with PyArmor Pro obfuscation
Statusactive
First Observed2026-07-04 (disclosure date; campaign activity ongoing)

Detailed Findings

Kaspersky's analysis found evidence that Armored Likho used large language models to generate its first-stage loader code, with the presence of verbose inline comments, bullet-point emoji, and redundant code blocks consistent with LLM output. The operational consequence is that AI-generated code erases the stylistic fingerprints that threat intelligence analysts traditionally use to link new malware samples to known threat groups, buying the attacker time and complicating any legal or diplomatic response.

BusySnake Stealer is a Python-based infostealer protected with PyArmor Pro 9.2.0 that decrypts its bytecode only at the moment a function is called and runs silently with no console window. A more recent version of BusySnake Stealer uses the Windows COM object Schedule.Service through the win32com.client library instead of calling schtasks directly, making it harder to detect through behavioral rules.

CrowdStrike's Global Threat Report 2026 found an 89% increase in AI-enabled attacks in 2025; Armored Likho's use of this technique specifically for attribution evasion represents a documented escalation of the tactic beyond commodity cybercrime into state-level (or state-adjacent) espionage.

MITRE ATT&CK Mapping

TechniqueIDContext
Malware DevelopmentT1587.001Using LLM to generate obfuscated malware code
Exploit Public-Facing ApplicationT1190Exploiting CVE-2025-9491 in Windows LNK files via spear-phishing
Indicator RemovalT1070AI-generated code patterns erase stylistic attribution fingerprints

IOCs

Domains

_No specific IOCs published; campaign identified through code-style analysis and behavioral attributes of BusySnake stealer. Source: Kaspersky threat research._

Full URL Paths

_No specific IOCs published; campaign identified through code-style analysis and behavioral attributes of BusySnake stealer. Source: Kaspersky threat research._

Splunk Format

_No IOCs available for Splunk query_

Affected Platforms

Windows
macOS

Detection Recommendations

Monitor for BusySnake stealer samples via behavioral analysis of COM-based task scheduling (Schedule.Service) rather than schtasks.exe process execution. Analyze PowerShell and Python loader code for characteristics typical of LLM generation: verbose comments with emoji, redundant control flow, and atypical variable naming patterns. Cross-reference code style anomalies with LLM fingerprints (Arctic Wolf Labs documented >22,000 files with similar patterns from Feb 2025–Feb 2026). Implement YARA rules targeting PyArmor Pro 9.2.0 bytecode decryption patterns. Network detection should flag credential exfiltration patterns consistent with infostealer post-exploitation.

References