Armored Likho: AI-Generated Malware Hits Power Grids in 3 Countries

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Armored Likho, a previously undocumented advanced persistent threat group, deployed AI-generated malware named BusySnake Stealer against electric power operators and government agencies across Russia, Brazil, and Kazakhstan in an active campaign uncovered by Kaspersky on July 3, 2026. The Armored Likho BusySnake stealer campaign is the first documented case of an APT using large language models to generate functional first-stage loader code at scale, producing polymorphic payloads that rotate through GitHub repositories to evade signature-based detection. Kaspersky attributes the group to the same threat cluster BI.ZONE tracks as Eagle Werewolf, an operator active since May 2023 that previously targeted Russian defense contractors and drone manufacturing organizations.
BusySnake Stealer is a Python 3.12 infostealer obfuscated with PyArmor Pro v9.2.0 that targets Windows systems with a comprehensive credential harvesting framework. Once installed via a spear-phishing email carrying either an NSIS self-extracting archive or a malicious LNK shortcut exploiting the Windows vulnerability ZDI-CAN-25373, BusySnake exfiltrates browser passwords and cookies from all Chromium-based browsers and Firefox, harvests Telegram desktop session data, captures two-factor authentication secrets stored in clipboard OTP strings, scans for cryptocurrency wallet JSON files, takes screenshots on command, and establishes reverse SSH tunnels back to attacker infrastructure using the Go2Tunnel utility. Every 5 minutes, a Windows scheduled task named WindowsHelper silently polls the C2 for new command instructions.
Three facts make this campaign urgent for any organization in the energy or public sector this week. First, Armored Likho is actively targeting power grid operators right now as of July 4, 2026, not historically. Second, the AI-assisted malware development cycle means new BusySnake variants are arriving faster than defenders can update signature databases. Third, the LNK shortcut vulnerability ZDI-CAN-25373 has been exploited by more than a dozen hacking groups since 2017 and remains effective against unpatched Windows endpoints. Your exposure is real if you receive government notices by email, run Windows workstations on an OT network, or have not applied the November 2025 Windows LNK file handling patch.
Who Is Armored Likho? Origin and Attribution
Armored Likho is a previously undocumented threat actor that Kaspersky attributed with medium confidence in July 2026, meaning the attribution is supported by multiple converging technical indicators but has not been confirmed by a definitive source such as a government indictment or intelligence service declassification.
The group overlaps substantially with a threat cluster BI.ZONE tracks as Eagle Werewolf, which has been documented as active since May 2023 and previously focused on Russian-language targets in defense and industrial sectors. Eagle Werewolf conducted a documented intrusion in February 2026, compromising a drone-focused Telegram channel to distribute malware to subscribers, indicating a shift toward supply-chain-style distribution via trusted communication channels.
Kaspersky identified Armored Likho as an evolution or subcluster of Eagle Werewolf based on three converging technical indicators: shared use of the Go2Tunnel SSH tunneling utility with identical command-line arguments, architectural similarity between BusySnake Stealer and a prior tool called AquilaRAT in their task-based C2 command frameworks, and consistent scheduled task naming conventions across campaigns.
Armored Likho blends two motivations that threat intelligence analysts normally treat as separate: financially motivated attacks against private individuals and targeted cyber espionage against government and critical infrastructure organizations. This dual nature means the group maintains both a criminal revenue stream and a state-aligned intelligence collection capability simultaneously. The July 2026 campaign falls in the espionage category, targeting organizations whose compromise yields high-value intelligence: power grid operators with access to energy infrastructure control systems and government agencies with classified document repositories.
The group's use of AI-generated first-stage loader code is the most tactically significant new development. Loader samples contain verbose inline comments, bullet-point emojis within source code, and redundant code blocks, all consistent with LLM-generated output. Unlike AI-assisted malware development by APT28's LameHug cluster, Armored Likho appears to use AI primarily for payload polymorphism rather than capability enhancement, rotating generated variants rapidly to defeat behavioral signatures rather than building fundamentally new attack capabilities.
How Does BusySnake Stealer Work? Technical Breakdown
BusySnake Stealer is a modular Python 3.12 infostealer that Armored Likho delivers via two alternating initial access vectors, both triggered from spear-phishing emails with lures calibrated to the target's sector and geographic region.
The first vector uses an NSIS self-extracting archive distributed as an email attachment. The archive extracts a legitimate-looking executable to the Windows temp directory at the path %TEMP%\nsn5531.tmp\pnx.exe, then injects a malicious Python loader into process memory. The loader downloads additional payload components from attacker-controlled GitHub repositories and stages them in the AppData Roaming WindowsHelper directory before executing BusySnake Stealer.
The second vector uses a malicious LNK shortcut that exploits ZDI-CAN-25373, a Windows vulnerability in how the operating system handles .lnk file parameters that conceals malicious command arguments from the Windows UI properties dialog. Clicking the shortcut triggers an obfuscated PowerShell command via rundll32.exe that downloads the BusySnake payload while simultaneously displaying a decoy document themed around humanitarian aid applications or debt clearance notices to prevent victim suspicion.
Once running, BusySnake establishes persistence by creating a Windows scheduled task named WindowsHelper that executes every 5 minutes. Newer BusySnake versions replace the direct schtasks.exe call with a win32com.client library interaction with the Windows Schedule.Service COM object, a stealthier approach that avoids process-level detection rules that flag schtasks.exe execution. The malware runs with the .pyw file extension to prevent a console window from appearing.
BusySnake's harvesting capabilities cover seven categories: Chromium browser passwords and cookies using DPAPI decryption of the Login State master key via an SQL query against the logins database; Firefox passwords using NSS library function calls against key4.db; Telegram desktop session data collected by force-terminating Telegram.exe and staging the tdata directory; 2FA secrets captured from clipboard OTP strings in the otpauth:// format; cryptocurrency wallet JSON files located via filesystem enumeration; documents up to 5 MB exfiltrated via POST; and screenshots triggered on demand by C2 command. All harvested data is staged in the AppData Roaming WindowsHelper directory before transmission to attacker infrastructure.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Armored Likho TTPs Mapped to MITRE ATT&CK
Kaspersky's July 2026 analysis of Armored Likho documents 13 discrete MITRE ATT&CK techniques spanning the full attack chain from initial access through persistent C2 access.
Initial Access uses Spear Phishing Attachment (T1566.001) as the primary vector, with email lures ranging from official government notices to social program applications tailored to each target country. The February 2026 Eagle Werewolf campaign added Spearphishing Link via Telegram (T1566.002) through a compromised trusted channel.
Execution combines Command and Scripting Interpreter via PowerShell (T1059.001) with rundll32.exe as a living-off-the-land execution proxy (T1202). Process injection (T1055) delivers the first-stage loader into the pnx.exe process memory without writing the final payload to disk initially.
Persistence relies on Scheduled Task/Job via Windows Task Scheduler (T1053.005). The newer COM-based variant interacts with the Schedule.Service object through win32com.client specifically to evade endpoint detection rules that monitor schtasks.exe process creation.
Defense Evasion operates through multiple layers: PyArmor Pro v9.2.0 dynamic bytecode decryption at function call time (T1140), in-memory Python script execution eliminating disk artifacts in newer versions (T1564.005), and the ZDI-CAN-25373 LNK parameter concealment technique.
Credential Access targets both Chromium credential stores using DPAPI decryption (T1555.003) and clipboard monitoring for OTP authentication secrets (T1056.004).
Collection covers Clipboard Data (T1115), Screen Capture (T1113), File and Directory Discovery (T1083), and Data from Local System (T1005) for document exfiltration.
Command and Control uses Proxy via Go2Tunnel reverse SSH tunneling (T1090.002) and SSH Remote Services (T1021.004) for persistent interactive access to compromised hosts.
This TTP map makes Armored Likho particularly difficult to detect with signature-based controls alone. The combination of polymorphic AI-generated loaders defeating signatures, living-off-the-land execution defeating behavioral detections, and COM-based persistence defeating process-monitoring rules creates multiple simultaneous detection gaps. Security teams should compare this map against their existing ATT&CK coverage, particularly in environments that share defensive challenges with state-sponsored critical infrastructure targeting patterns.
“Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage against organizations, with toolkits engineered to bypass dynamic analysis.”
Kaspersky GReAT Research Team, Securelist, July 2026
Armored Likho Infrastructure and Active IOCs
Kaspersky's July 2026 analysis identified six active C2 domains and three C2 IP addresses serving the BusySnake Stealer campaign, along with three malware sample hashes. All IOC data below was confirmed active as of July 3, 2026.
BusySnake Stealer communicates with C2 infrastructure using a REST API. The original version polls GET /get_task?client_id=[HOSTNAME] for commands and reports results via POST /report_status. The updated version uses a versioned API structure: GET /api/v1/client/[ID]/commands/?bid=[BUILD_ID] for command retrieval and /api/v1/client/[ID]/tasks/?bid=[BUILD_ID] for task polling. Each command cycles through four statuses: SCHEDULED, IN_PROGRESS, SUCCEEDED, and FAILED, giving attackers real-time operational visibility into every compromised host's task execution state.
File-based indicators on compromised Windows systems include the directory AppData Roaming WindowsHelper containing chromium_passwords.json, firefox_passwords.json, all_browser_data.json, 2fa_secrets.txt, and an inventory_state.db SQLite database tracking file enumeration progress. The scheduled task named WindowsHelper with a 5-minute execution interval in Windows Task Scheduler is a strong behavioral indicator. VBScript files named wh_selfdelete.vbs and run.vbs in the same directory indicate an older BusySnake variant.
Block or monitor outbound connections to all infrastructure listed below. Report confirmed detections to CISA and share samples with threat sharing platforms to accelerate variant identification across the defender community.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Campaign Timeline: From Eagle Werewolf to Power Grid Attacks
Armored Likho's operational history traces back to May 2023 through the overlapping Eagle Werewolf threat cluster, with documented activity escalating through 2025 and 2026 to the current power sector campaign.
The group's initial targeting under the Eagle Werewolf designation focused on Russian-language victims, consistent with the financially motivated segment of their dual-purpose operation. Credential theft from private individuals provided revenue while building operational infrastructure and refining tooling for the more sophisticated espionage campaigns that followed.
The February 2026 Telegram channel compromise marked a tactical shift. By compromising a legitimate drone-focused Telegram channel rather than sending direct phishing messages, the group leveraged the trust subscribers had already placed in that channel to distribute BusySnake Stealer without triggering the skepticism that unsolicited emails generate. This supply-chain distribution technique is increasingly common among APT operators because it bypasses both email security gateways and user awareness training that emphasizes email phishing.
The July 2026 campaign represents the group's most geographically diverse operation on record, spanning three countries and two critical sectors simultaneously. The expansion from Russia-only targeting to include Brazil and Kazakhstan alongside Russian targets suggests either a broadening of intelligence collection requirements or operational tasking from a state sponsor with regional interests in those energy markets. Both Brazil and Kazakhstan are significant natural resource producers, and both have electric power infrastructure that foreign intelligence services monitor.
May 2023: Eagle Werewolf cluster first documented by BI.ZONE
BI.ZONE identifies the Eagle Werewolf threat cluster targeting Russian-language victims with financially motivated credential theft campaigns, establishing the operational baseline that Kaspersky later links to Armored Likho through shared tooling and infrastructure.
Feb 2026: Telegram channel supply-chain attack
Armored Likho compromises a drone-focused Telegram channel with thousands of subscribers, distributing BusySnake Stealer to followers who trust the channel's content, demonstrating the group's shift from direct phishing to supply-chain distribution through trusted platforms.
July 2026: Power grid campaign confirmed active
Kaspersky GReAT publishes attribution of Armored Likho on July 3, 2026, confirming active BusySnake Stealer deployment against electric power operators and government agencies across Russia, Brazil, and Kazakhstan with AI-generated polymorphic loaders.
Why Armored Likho BusySnake Stealer Matters for Your Organization
Three converging factors make Armored Likho a material risk for organizations in the energy sector, government, and any organization that bridges IT and operational technology networks this week.
The sector targeting is deliberate and reflects intelligence value. Electric power operators hold credentials that control physical infrastructure. Government agencies hold classified documents and diplomatic communications. Both are high-value espionage targets where BusySnake's browser credential, Telegram session, and 2FA secret harvesting produces immediately actionable intelligence for an adversary with regional energy sector interests. If your organization operates in power generation, transmission, or distribution, or if you hold contracts with government agencies in Russia, Brazil, or Kazakhstan, you are within this group's confirmed active targeting scope.
The AI-generated payload problem creates a real detection gap. Static signature-based antivirus cannot reliably detect BusySnake variants when each sample's first-stage loader is generated fresh by a large language model and distributed through GitHub repository rotation. PyArmor Pro obfuscation compounds this by dynamically decrypting bytecode at function call time rather than on disk, defeating many static analysis tools. Organizations that rely exclusively on endpoint antivirus for malware detection face a measurable and current gap against this campaign.
The LNK shortcut vulnerability ZDI-CAN-25373 has been in active use by more than a dozen threat groups since 2017. Despite this long exploitation history, unpatched Windows systems remain common in operational technology environments where patching cycles are slower than corporate IT. A single click on a malicious LNK file in a spear-phishing email delivers BusySnake to a workstation without any further user interaction required after that initial click.
How to Detect and Hunt Armored Likho Activity
Effective detection of Armored Likho requires hunting across four artifact layers: network telemetry, Windows Task Scheduler, filesystem artifacts, and endpoint behavioral rules.
Network hunting: Block all six confirmed C2 domains and three IP addresses at your perimeter firewall and DNS resolver. Search DNS query logs and proxy logs for any resolution of or connection to winupdate[.]live, arvax[.]xyz, varenie[.]live, lvl99[.]store, grked[.]online, and myboard[.]chickenkiller.com. Alert on outbound SSH connections from workstations to external hosts on port 22 that do not match your approved jump server addresses, as this pattern indicates an active Go2Tunnel reverse SSH tunnel.
Filesystem hunting: Search all Windows endpoints for the directory path AppData Roaming WindowsHelper. The presence of this directory, particularly containing any of chromium_passwords.json, firefox_passwords.json, all_browser_data.json, or 2fa_secrets.txt, constitutes definitive compromise evidence requiring immediate host isolation. Scan for VBScript files named wh_selfdelete.vbs or run.vbs in any user's AppData directories.
Task Scheduler hunting: Query all Windows endpoints for scheduled tasks named WindowsHelper with a trigger interval of 5 minutes or any task that executes a .pyw file. This query is simple and produces near-zero false positives in standard enterprise environments.
Endpoint behavioral rules: Enable detection rules for shell_creation_by_rundll32, windows_command_shell_usage, and suspicious_powershell_cmd_or_script_spawning in your EDR platform. Alert on rundll32.exe spawning PowerShell child processes, schtasks.exe creating tasks that execute Python interpreters or .pyw files, and win32com.client Schedule.Service COM object interactions initiated from non-administrative user processes.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Armored Likho BusySnake stealer is an active campaign against power grid operators and government agencies across three countries, confirmed by Kaspersky on July 3, 2026. The group combines AI-generated polymorphic loaders that defeat signature detection, a Windows LNK vulnerability exploited since 2017, and comprehensive credential harvesting that captures browser passwords, Telegram sessions, and 2FA secrets in a single infection. Three actions matter most right now: block the 6 confirmed C2 domains and 3 IPs at your DNS resolver and perimeter firewall, hunt for AppData Roaming WindowsHelper on all Windows endpoints, and apply the November 2025 Windows LNK patch if you have not already done so. If your organization operates energy infrastructure or holds government contracts in the affected regions, treat this as an active threat until you confirm clean endpoint scans.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Who is Armored Likho?
Armored Likho is a previously undocumented advanced persistent threat group first attributed by Kaspersky in July 2026. The group operates with medium-confidence attribution and overlaps substantially with a threat cluster BI.ZONE tracks as Eagle Werewolf, which has been active since May 2023. Armored Likho blends financially motivated campaigns against private individuals with targeted cyber espionage against government agencies and electric power operators. The group is notable for using AI-generated first-stage loader code to produce polymorphic payloads that rotate through GitHub repositories to evade signature-based detection.
What is BusySnake Stealer?
BusySnake Stealer is a Python 3.12 infostealer deployed by Armored Likho against Windows systems. Obfuscated with PyArmor Pro v9.2.0, it harvests browser passwords and cookies from all Chromium-based browsers and Firefox, steals Telegram desktop session data, captures two-factor authentication secrets from clipboard OTP strings, scans for cryptocurrency wallet JSON files, takes screenshots on command, and establishes reverse SSH tunnels via Go2Tunnel for persistent attacker access. A Windows scheduled task named WindowsHelper maintains persistence by polling attacker C2 infrastructure every 5 minutes.
Which countries does Armored Likho target?
Armored Likho has confirmed active targets in Russia, Brazil, and Kazakhstan as of July 2026. The geographic scope expanded from the Eagle Werewolf cluster's earlier focus on Russian-language victims. The July 2026 campaign specifically targets electric power operators and government agencies across all three countries. Both Brazil and Kazakhstan are significant energy producers, suggesting intelligence collection requirements tied to regional energy sector interests. No additional country-level targeting has been confirmed in public reporting as of the Kaspersky attribution published July 3, 2026.
What TTPs does Armored Likho use?
Armored Likho uses 13 documented MITRE ATT&CK techniques. Initial access via spear-phishing attachments (T1566.001) and compromised Telegram channels (T1566.002). Execution via PowerShell (T1059.001) through rundll32.exe (T1202) with process injection (T1055). Persistence via scheduled tasks (T1053.005) using COM object interaction to avoid schtasks detection. Defense evasion via PyArmor obfuscation (T1140) and in-memory execution (T1564.005). Credential access via browser credential stores (T1555.003) and clipboard capture (T1056.004). Exfiltration via reverse SSH tunneling (T1090.002) and SSH remote access (T1021.004).
How do I detect Armored Likho activity in my environment?
Hunt across four artifact layers. Network: block and alert on the 6 confirmed C2 domains and 3 IP addresses, and alert on workstation-originated outbound SSH to external IPs. Filesystem: search all Windows endpoints for the directory AppData Roaming WindowsHelper, which contains chromium_passwords.json and 2fa_secrets.txt on compromised hosts. Task Scheduler: query for a scheduled task named WindowsHelper with a 5-minute trigger interval. Behavioral: enable EDR rules for rundll32 spawning PowerShell, schtasks.exe creating Python-executing tasks, and COM-based Schedule.Service interactions from non-administrative processes.
Is Armored Likho state-sponsored?
No definitive state sponsorship attribution has been published as of July 2026. Kaspersky assigns medium-confidence attribution linking Armored Likho to Eagle Werewolf, but neither group has been tied to a specific government by an indictment or official intelligence declaration. The group's dual motivation of financial crime alongside espionage against power infrastructure is consistent with state-nexus operators that maintain criminal activities for plausible deniability. The targeting of electric power operators across three countries with state-sensitive energy interests supports but does not confirm a state intelligence tasking.
Which sectors does Armored Likho target?
Armored Likho's confirmed targeting in July 2026 focuses on two sectors: electric power infrastructure including power generation, transmission, and distribution operators, and government agencies. Earlier Eagle Werewolf activity also targeted defense contractors involved in drone development and manufacturing. The financially motivated component of the dual-purpose operation targets private individuals across Russian-language communities for credential theft and financial fraud. Organizations in the energy sector or holding government contracts in Russia, Brazil, or Kazakhstan should treat themselves as within Armored Likho's active targeting scope.
How does Armored Likho use AI to generate malware?
Armored Likho uses large language models to generate its first-stage loader code, producing polymorphic variants that defeat signature-based antivirus detection. Kaspersky identified the AI-generation pattern by analyzing loader samples containing verbose inline comments explaining code logic, bullet-point emoji characters within source code, and redundant code blocks, all artifacts consistent with LLM output. Each generated variant is functionally equivalent but structurally unique, preventing security vendors from writing a single signature that matches all variants. The group hosts payload variants on GitHub repositories and rotates them to further limit the useful shelf life of any individual signature rule.
Sources & references
- Kaspersky / Securelist: Armored Likho's New Weapon - BusySnake Stealer
- The Hacker News: Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
- GBHackers: Armored Likho APT Deploys BusySnake Stealer Against Government and Power Sector Targets
- TechTimes: New APT Group Hits Power Grids in Three Countries with AI-Crafted Malware
- MITRE ATT&CK: Enterprise Techniques
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
