2026-07-11 · view entry permalink →
Armored Likho: new APT hits government and electric-power targets with an AI-generated loader and the Python 'BusySnake' stealer
Kaspersky's threat-monitoring team published a full analysis of a previously unknown APT it dubs Armored Likho (also tracked, on circumstantial evidence, as Eagle Werewolf), which mixes financially motivated campaigns against individuals with targeted espionage against organizations — the current campaign, still active at publication, concentrates on government agencies and electric-power-sector organizations in Russia, Brazil and Kazakhstan (Kaspersky Securelist, 2026-07-03). Initial access is spear-phishing with government-notice and social-program themes carrying archive attachments. One variant drops an NSIS self-extracting dropper that shows a decoy "psychological test" survey, writes a legitimate pnx.exe to a temp directory and injects loader code into its process memory; the other abuses the ZDI-CAN-25373 Windows shortcut-display weakness — whitespace/line-break padding that hides the LNK's real command line from the user — to launch obfuscated PowerShell. Both paths converge on a loader that Kaspersky assesses was written by an LLM (verbose comments and bullet-point emojis "highly uncharacteristic of human-developed malware") — a concrete case of AI-generated first-stage tooling blurring the actor's TTP fingerprint and complicating attribution (Kaspersky Securelist, 2026-07-03).
The loader pulls its payload packages from attacker-controlled GitHub repositories whose contents and names rotate automatically, then stages everything under %APPDATA%\WindowsHelper: a bundled Python 3.12 interpreter, get-pip.py for dependency installation, and the primary payload module.pyw — BusySnake Stealer, a Python infostealer obfuscated with PyArmor Pro 9.2.0 that decrypts each function's bytecode only at call time and re-encrypts it afterward. Persistence is a VBScript launcher (run.vbs) registered as a scheduled task re-executing the payload every five minutes; a companion wh_selfdelete.vbs wipes the initial loader. On tasking from its C2, the stealer harvests Chromium credentials via DPAPI and Firefox credentials via PK11SDR_Decrypt, steals browser cookies (in one command variant by installing a browser extension), scrapes the clipboard and local files for 64-character hex keys and otpauth:// OTP seeds, inventories and exfiltrates user documents under 5 MB, captures screenshots, packages Telegram tdata session stores after force-killing telegram.exe, hunts cryptocurrency-wallet JSON files, opens a reverse-SSH tunnel with a C2-supplied key, and abuses RustDesk — downloading it if absent, or restarting it to make the user re-enter their ID/password while screenshotting the credentials (Kaspersky Securelist, 2026-07-03).
Provenance note: this entry was published by the 2026-07-11 full-store quality audit, which found the item had fallen into the 2026-07-07 scheduler outage's backfill blind spot (research-blog publications do not route through the KEV/CERT catch-up paths the backfill run swept — pipeline fix shipped as prompts v3.21).
This targeted campaign focuses heavily on government agencies and the electric power sector. The geographical footprint of these attacks spans Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor.
This coding style is highly uncharacteristic of human-developed malware. It strongly indicates that the group is leveraging LLMs to generate their malicious payloads.