The Armored Likho APT group, discovered by Kaspersky, is conducting cyber-espionage and financially motivated attacks against government agencies and electric-sector operators in Russia, Brazil, and Kazakhstan. Technical analysis published July 3, 2026 documents a malware arsenal in which the Python-based BusySnake stealer is the most advanced component, protected by PyArmor Pro 9.2.0 with dynamic bytecode decryption and clear signs of AI generation in first-stage payloads. The campaign marks a turning point: traditional attribution techniques based on coding style lose effectiveness against commercial obfuscation tools and generative model languages.
- Armored Likho targets government agencies and electric-sector operators in Russia, Brazil, and Kazakhstan, blending cyber-espionage with financial motives.
- BusySnake Stealer uses PyArmor Pro 9.2.0 with selective runtime bytecode decryption: each function is decrypted only at the moment of call and immediately re-encrypted, preventing full static analysis.
- Initial-access vectors include LNK files exploiting CVE-2025-9491 (ZDI-CAN-25373), a vulnerability patched by Microsoft in November 2025 but still effective on unpatched systems.
- First-stage payloads exhibit AI-generation hallmarks: verbose comments, bullet-point emojis, redundant code blocks, consistent with LLM outputs documented by Arctic Wolf Labs across more than 22,000 files.
The LNK Vector and CVE-2025-9491
Armored Likho operators employ spear-phishing with archive attachments containing NSIS executables or malicious LNK files. The LNK files exploit CVE-2025-9491, also tracked as ZDI-CAN-25373: a UI interpretation vulnerability that hides malicious command arguments via whitespace padding. The Windows properties window displays only the first 260 characters, rendering the real payload invisible to users and many automated analysis tools.
Microsoft silently patched CVE-2025-9491 during the November 2025 Patch Tuesday, as documented by The Hacker News. The vulnerability had been actively exploited since 2017 by various groups, leaving an exposure window of roughly eight years on unpatched systems. Armored Likho's reuse of it in 2026 indicates that the legacy system footprint in targeted sectors remains significant.
BusySnake: Anatomy of the Stealer and PyArmor Pro Evasion
BusySnake Stealer serves as the operation's primary payload. Written in Python and distributed as a .pyw file to avoid a console window, the tool implements a protection mechanism that defeats conventional forensic techniques. According to TechTimes, reporting on Kaspersky's analysis, PyArmor Pro 9.2.0 decrypts individual function bytecode only at the exact moment of invocation, re-encrypting it immediately afterward. The complete code never resides in memory in decrypted form, rendering memory dumps ineffective for source reconstruction.
The stealer integrates multi-browser credential theft: for Chromium it uses Windows DPAPI via win32crypt.CryptUnprotectData; for Firefox it loads the NSS library and invokes NSS_Init() and PK11SDR_Decrypt(), exploiting the insecure default practice of no master password. TechTimes also documents screenshot capture, enumeration of files in local SQLite databases, exfiltration of documents larger than 5 MB, and remote command execution.
Remote access is achieved by manipulating RustDesk: if the software is already installed, a forced restart solicits fresh credentials with screenshot capture; if absent, it is downloaded from GitHub repositories. Payloads are fetched from automatically rotating GitHub paths containing both development builds and test samples, suggesting an active, continuous development cycle.
From schtasks to COM Object: Persistence Evolution
A newer BusySnake version introduces a significant change in persistence mechanism. Instead of the classic schtasks command, the stealer uses the Schedule.Service COM object via Python win32com.client. The shift eliminates an easily detectable command line, replacing it with system object calls that are less monitored. The resulting task executes the payload every five minutes, a frequency that ensures rapid reconnection if interrupted.
The same version introduces a task-management framework with defined operational states: SCHEDULED, IN_PROGRESS, SUCCEEDED, FAILED. Go2Tunnel, previously a standalone tool, is now integrated directly into the stealer as a built-in function with parameters received from the C2 server, consolidating the arsenal into a single modular executable.
"Traditional coding-style fingerprinting is a primary tool for linking new malware samples to known threat actors. AI-generated code erases those fingerprints" — TechTimes analysis
The Shadow of Eagle Werewolf and Attribution Limits
Kaspersky flags a possible overlap between Armored Likho and Eagle Werewolf, a group documented by BI.ZONE active since May 2023 against government, defense, and UAV sectors in Russia. Eagle Werewolf deployed AquilaRAT, whose structure and persistence mechanism resemble BusySnake. In February 2026, Eagle Werewolf was observed compromising a drone Telegram channel to distribute AquilaRAT. No infrastructure overlaps conclusively link the two clusters at this stage: Kaspersky assigns a "medium" confidence level to Armored Likho attribution, without indicating a specific nation of origin.
AI generation in first-stage payloads further complicates the picture. According to TechTimes, verbose comments, bullet-point emojis, and redundant code blocks are consistent with LLM outputs. Arctic Wolf Labs has documented the same signature across more than 22,000 files. For Armored Likho, this technique is not isolated: TechTimes places it among the first documented cases of an APT whose primary mission is critical-infrastructure espionage, rather than commodity cybercrime, employing generative AI.
Immediate Actions
Organizations in government and energy sectors should immediately verify application of the Microsoft patch for CVE-2025-9491 from November 2025, prioritizing legacy systems that may not have received automatic updates. Conduct an audit of scheduled tasks on workstations, focusing on instances using COM objects rather than explicit schtasks commands. Monitoring traffic to public GitHub repositories — particularly anomalous fetches from rotating paths — serves as a relevant behavioral indicator given the documented payload-retrieval mechanism. Finally, unauthorized RustDesk use or sudden restarts should trigger remote-access checks and credential verification.
Why the Democratization of Evasion Changes Detection
The assembly of PyArmor Pro, a legitimate commercial tool, with LLM-generated payloads and patched-but-persistent vulnerabilities sketches a threat model where the technical barrier to entry drops while attribution efficacy degrades. Traditional forensic methods — coding-style fingerprinting, static source analysis, compilation-artifact correlation — lose ground against runtime decryption and automatic code generation. Detection must shift to behavior: network patterns, COM object usage anomalies, unusual beaconing frequencies, access to repositories unrelated to institutional activity.
Armored Likho introduces no zero-day vulnerabilities nor never-before-seen exploit techniques. Its novelty lies in composition: an actor blending financial and geopolitical aims, protecting its payload with high-grade commercial tooling, and masking the author's digital fingerprints behind generative model output. For defenders, this means the line between sophisticated APT and crimeware operator is thinning, and response must adapt to an adversary that changes face faster than signatures can track.
Sources
- https://www.securityweek.com/armored-likho-apt-targeting-government-electric-power-entities/
- https://thehackernews.com/2026/07/armored-likho-targets-government.html
- https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/
- https://unit42.paloaltonetworks.com/large-scale-credential-attacks/
- https://cvefeed.io/newsroom/latest
- https://www.techtimes.com/articles/319680/20260704/new-apt-group-hits-power-grids-three-countries-ai-crafted-malware.htm
- https://gbhackers.com/busysnake-stealer-malware/amp/
- https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html
- https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html
- https://thehackernews.uk/ai-vuln-protection-d
Information verified against cited sources and current as of publication.