Armored Likho uses LLMs to write first-stage payloads and PyArmor Pro to obfuscate them. Kaspersky's report reveals an infostealer targeting the energy sector.

The Armored Likho cyber-espionage group has operated since 2022 against government agencies and electric-sector organizations in Russia, Brazil, and Kazakhstan with a previously undocumented Python infostealer, BusySnake Stealer, whose initial components are generated by AI language models and obfuscated with PyArmor Pro 9.2.0. The Kaspersky Securelist report, published in April 2022, documents for the first time the use of LLMs in the infection chain of an active APT, marking a turning point in the democratization of advanced evasion techniques.

Key Takeaways
  • Armored Likho, alias Eagle Werewolf based on circumstantial evidence, has conducted cyber-espionage and data-theft campaigns since 2022 against government targets and energy infrastructure in three countries: Russia, Brazil, and Kazakhstan.
  • BusySnake Stealer is a previously undocumented Python-based infostealer that implements a modular handler-based architecture with dynamic runtime obfuscation via PyArmor Pro 9.2.0.
  • First-stage payloads (loader and stager) contain verbose comments and emoji in the source code, which Kaspersky interprets as "strongly indicative" of LLM generation.
  • The group abuses GitHub repositories for automated malware component staging, with rapid rotation of both payloads and repositories to evade detection.
  • Persistence relies on a scheduled task that executes the payload every 5 minutes via VBScript, an unusually short interval compared to the 15-60 minutes typical of commodity malware.

How AI Enters the Infection Chain

Kaspersky's technical analysis reveals that Armored Likho's initial payloads bear unmistakable traces of automatic generation. The Python files containing the loaders and stagers feature extensive comments, bullet-point formatting, and emoji — a coding style that GReAT analysts define as "highly uncharacteristic of human-developed malware."

"This coding style is highly uncharacteristic of human-developed malware. It strongly indicates that the group is leveraging LLMs to generate their malicious payloads." — Kaspersky Securelist

The use of language models for malicious code generation gives the group a dual operational advantage. On one hand, AI-generated payloads vary significantly from each other, rendering static signatures based on hashes or recognized patterns ineffective. On the other, the code tends to pass through dynamic sandboxes undetected: automated analyzers execute the first stage without spotting malicious behavior, since the actual payload is downloaded and decrypted only at later stages.

This technique obscures the group's TTPs (Tactics, Techniques, and Procedures), complicating attribution efforts that traditionally rely on code stylistic consistency and the repetition of manually developed patterns over time.

PyArmor Pro 9.2.0 and Runtime Obfuscation

BusySnake Stealer employs PyArmor Pro version 9.2.0, a commercial Python obfuscation tool that implements dynamic per-function runtime decryption. The mechanism works as follows: every malware function remains encrypted in the distributed file and is decrypted only at the moment of its execution, to be immediately re-encrypted upon completion.

This approach makes traditional static analysis impractical: the reverse engineer inspecting the file on disk finds only obfuscated bytecode, while dynamic analysis must capture each decrypted fragment at the precise instant of its execution, reconstructing the puzzle function by function. Kaspersky notes that PyArmor Pro 9.2.0 represents a state-of-the-art in consumer-grade Python obfuscation, previously unobserved in documented APT campaigns.

BusySnake Stealer's handler-based architecture organizes the theft of credentials, documents, and screenshots into separate modules, each activatable from the command-and-control server. The malware's working directory is $appdata\WindowsHelper, where executed components and collected data reside before exfiltration.

GitHub as Infrastructure and the 2 Infection Variants

Armored Likho does not register dedicated domains for payload staging but abuses GitHub repositories — a platform that enjoys high reputation on corporate proxy allowlists. Kaspersky identified repositories with early development builds and test samples, highlighting an automated release process that enables rapid rotation of both payloads and repositories themselves.

The campaign spreads through two distinct vectors. The first variant uses an NSIS installer that hosts a decoy application — a fake psychological test — to disarm the user's suspicion while extracting and installing the main payload in the background. Phishing attachments carry thematic names such as "psihologicheskiy_test.zip" or "zayavka_gumanitarnayapomosch.rar".

The second variant exploits vulnerability ZDI-CAN-25373 on LNK files: the Windows shortcut hides command-line parameters using spaces and line breaks, executing a PowerShell downloader that retrieves subsequent components. The dossier does not specify which vulnerable software exposes this flaw, nor does it provide a severity score or an associated CVE identifier.

Hybrid Persistence: Every 5 Minutes

BusySnake Stealer ensures its survival through a scheduled task that executes the payload every 5 minutes via a VBScript (run.vbs). This unusually short interval — compared to the 15-60 minutes typical of commodity malware — suggests an operational priority on continuous real-time data collection.

In parallel, the malware implements a non-standard lock-file mechanism: a custom algorithm checks for the presence of the file Roaming\WindowsHelper\screenshots\.lock to prevent concurrent multiple executions, instead of resorting to traditional mutexes or registry keys. This choice, flagged as anomalous by analysts, further complicates detection based on established indicators of compromise.

What to Do Now

Organizations operating in the energy sector and public administration in the three target countries — Russia, Brazil, and Kazakhstan — must integrate specific controls for Armored Likho's documented TTPs into their security posture.

Monitor the execution of VBScript scripts with 5-minute intervals through Windows scheduled task logs, as this frequency is a distinctive indicator of BusySnake Stealer's persistence.

Inspect the $appdata\WindowsHelper path and subdirectories, particularly the presence of the .lock file in screenshots\, as indicators of compromise associated with the malware's working directory.

Analyze traffic to unauthorized or unusual GitHub repositories, given that Armored Likho uses this platform for automated staging with rapid payload rotation.

Evaluate the use of advanced dynamic analysis tools for detecting Python code obfuscated with PyArmor Pro 9.2.0, since per-function runtime decryption evades conventional static signatures.

Examine attachments with Russian-language thematic names closely, particularly archives containing NSIS installers or LNK files with parameters hidden by spaces and line breaks.

Why It Matters

The Kaspersky dossier does not document specific remedial measures or detailed operational recommendations for potential victims. It is not specified whether the identified GitHub repositories have been reported or removed, nor is it clear whether the campaign continues beyond the report's publication date in April 2022.

The exact number of compromised entities is not quantified, and the group's attribution to a nation-state-sponsored actor or a mercenary operator remains undocumented. The Eagle Werewolf alias, reported by the source, rests on circumstantial evidence rather than confirmed infrastructure overlaps.

What the report makes evident is the acceleration of a trend: the intersection of AI-generated malware, advanced commercial obfuscation, and abuse of legitimate cloud services erodes the traditional distinction between "sophisticated" APTs and mid-tier operators. When a group can generate evasive payloads with LLMs and distribute them via GitHub, attribution based on "technical maturity" loses part of its predictive validity.

The systematic theft of credentials, documents, and screenshots every 5 minutes exposes the energy sector and public administration to risks of industrial espionage and, prospectively, infrastructure sabotage. The ability to detect anomalous behavior in PyArmor usage, scheduled VBScript execution patterns, or access to unauthorized GitHub repositories becomes central, as static signatures are destined to become progressively inadequate.

Limits and Open Questions

The Kaspersky report, while technically dense, leaves questions on which the source does not pronounce. It is not documented whether ZDI-CAN-25373 has been patched by the affected vendor, nor whether the LNK file vulnerability is currently exploitable on updated systems. The nature of the exfiltrated data — whether credentials for industrial systems, strategic documents, or personal information — is not detailed in the available technical section.

The use of LLMs for code generation, while indicated as "highly probable" by analysts, is not accompanied by forensic evidence identifying the specific model or service used. It therefore remains a solid operational hypothesis, but not an absolute certainty.

Information is based on the cited source and current as of the time of publication.

Sources


Sources and references
  1. securelist.com