ctipilot.ch
← Back to the live brief
NOTABLENATOB3threat

Armored Likho: new APT hits government and electric-power targets with an AI-generated loader and the Python 'BusySnake' stealer

discovered 2026-07-11 17:40 UTCrun 2026-07-11T1435Z-audit1 sourcesingle-source

Kaspersky's threat-monitoring team published a full analysis of a previously unknown APT it dubs Armored Likho (also tracked, on circumstantial evidence, as Eagle Werewolf), which mixes financially motivated campaigns against individuals with targeted espionage against organizations — the current campaign, still active at publication, concentrates on government agencies and electric-power-sector organizations in Russia, Brazil and Kazakhstan (Kaspersky Securelist, 2026-07-03). Initial access is spear-phishing with government-notice and social-program themes carrying archive attachments. One variant drops an NSIS self-extracting dropper that shows a decoy "psychological test" survey, writes a legitimate pnx.exe to a temp directory and injects loader code into its process memory; the other abuses the ZDI-CAN-25373 Windows shortcut-display weakness — whitespace/line-break padding that hides the LNK's real command line from the user — to launch obfuscated PowerShell. Both paths converge on a loader that Kaspersky assesses was written by an LLM (verbose comments and bullet-point emojis "highly uncharacteristic of human-developed malware") — a concrete case of AI-generated first-stage tooling blurring the actor's TTP fingerprint and complicating attribution (Kaspersky Securelist, 2026-07-03).

The loader pulls its payload packages from attacker-controlled GitHub repositories whose contents and names rotate automatically, then stages everything under %APPDATA%\WindowsHelper: a bundled Python 3.12 interpreter, get-pip.py for dependency installation, and the primary payload module.pyw — BusySnake Stealer, a Python infostealer obfuscated with PyArmor Pro 9.2.0 that decrypts each function's bytecode only at call time and re-encrypts it afterward. Persistence is a VBScript launcher (run.vbs) registered as a scheduled task re-executing the payload every five minutes; a companion wh_selfdelete.vbs wipes the initial loader. On tasking from its C2, the stealer harvests Chromium credentials via DPAPI and Firefox credentials via PK11SDR_Decrypt, steals browser cookies (in one command variant by installing a browser extension), scrapes the clipboard and local files for 64-character hex keys and otpauth:// OTP seeds, inventories and exfiltrates user documents under 5 MB, captures screenshots, packages Telegram tdata session stores after force-killing telegram.exe, hunts cryptocurrency-wallet JSON files, opens a reverse-SSH tunnel with a C2-supplied key, and abuses RustDesk — downloading it if absent, or restarting it to make the user re-enter their ID/password while screenshotting the credentials (Kaspersky Securelist, 2026-07-03).

Provenance note: this entry was published by the 2026-07-11 full-store quality audit, which found the item had fallen into the 2026-07-07 scheduler outage's backfill blind spot (research-blog publications do not route through the KEV/CERT catch-up paths the backfill run swept — pipeline fix shipped as prompts v3.21).

This targeted campaign focuses heavily on government agencies and the electric power sector. The geographical footprint of these attacks spans Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor.

This coding style is highly uncharacteristic of human-developed malware. It strongly indicates that the group is leveraging LLMs to generate their malicious payloads.

Kaspersky Securelist 2026-07-03

ATT&CK mapping

15 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Resource Development TA0042
T1608.001Stage Capabilities: Upload Malware

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.

overlap matrix · ATT&CK page ↗

Initial Access TA0001
T1566.001Phishing: Spearphishing Attachment

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1053.005Scheduled Task/Job: Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

overlap matrix · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

overlap matrix · ATT&CK page ↗

T1059.006Command and Scripting Interpreter: Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

overlap matrix · ATT&CK page ↗

T1204.002User Execution: Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1053.005Scheduled Task/Job: Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1053.005Scheduled Task/Job: Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

overlap matrix · ATT&CK page ↗

T1055Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1027Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

overlap matrix · ATT&CK page ↗

T1055Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1539Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

overlap matrix · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

overlap matrix · ATT&CK page ↗

Collection TA0009
T1005Data from Local System

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

overlap matrix · ATT&CK page ↗

T1113Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.

overlap matrix · ATT&CK page ↗

T1115Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1219Remote Access Tools

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

overlap matrix · ATT&CK page ↗

T1572Protocol Tunneling

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.