Researchers at Kaspersky have exposed an active espionage campaign run by a previously unknown hacking group they have named Armored Likho (also tracked as Eagle Werewolf), which is breaking into government agencies and electric power companies across Russia, Kazakhstan, and Brazil. What makes the operation notable is how the attackers built their malware: the first stage loaders were generated with the help of large language models, a shortcut that both speeds up development and muddies the usual clues analysts rely on to attribute an attack.
Who is being targeted
The group blends financially motivated attacks on individuals with cyber espionage against organizations, giving it an unusually broad footprint for a single actor. According to Kaspersky, the campaign remains active at the time of writing and leans on spear phishing, malicious emails crafted around themes such as official government notices, humanitarian aid applications, and social programs. Victims receive archive files (ZIP or RAR) containing executables or Windows shortcut (LNK) files dressed up to match the lure, for example a fake psychological test that opens a decoy survey to lower suspicion.
How the attack works
Once a victim opens the attachment, a dropper writes a legitimate looking file to disk and injects malicious code into it. That loader then pulls further payloads from rotating GitHub repositories, where Kaspersky found early development builds that the group publishes automatically to swap out infrastructure quickly. In some samples the attackers abused a known Windows shortcut weakness (tracked as ZDI-CAN-25373) to hide command line arguments behind spaces and line breaks. The chain installs a bundled Python interpreter and ultimately runs the group's main tool.
Tellingly, the loader source code is littered with verbose comments and bullet point emojis, a style Kaspersky calls highly uncharacteristic of hand written malware and a strong sign the code was produced by an LLM. This is the same trend of AI assisted malware development seen in other recent campaigns, including an AI generated fake bank site used to seize victims' PCs in Brazil.
BusySnake Stealer
The payload is a new, previously undocumented Python infostealer that Kaspersky dubbed BusySnake Stealer. It is protected with PyArmor Pro, decrypting its own code only at the moment each function runs and re encrypting it immediately afterward to frustrate analysis. BusySnake logs clipboard contents, inventories files on the system, captures screenshots, hunts for 64 character hexadecimal keys (the kind used for cryptocurrency wallets), and forwards documents to a command and control server. It keeps a foothold through a scheduled task that relaunches the stealer every five minutes.
The group's spear phishing and regional focus echo other Russian language threat activity in the region, such as Gamaredon hiding espionage against Ukraine behind everyday web services, though Kaspersky treats Armored Likho as a distinct actor.
What you should do
Defenders should treat unsolicited archive attachments, especially those carrying LNK or EXE files themed around aid programs or official notices, as high risk, and watch for unexpected Python interpreters and scheduled tasks running on a five minute interval. Kaspersky published indicators of compromise for the campaign.
Selected indicators (defanged):
- C2 domain: grked[.]online
- C2 IPs: 159[.]198[.]41[.]140, 159[.]198[.]32[.]222, 159[.]198[.]75[.]219, 69[.]67[.]173[.]153
- Sample hashes (MD5): 5d5c3e483c5e544260ce98fc29fbf192, 7141917cba2eee2b4d31107faccf3a39
Full technical detail is in the original report from Kaspersky's Securelist team.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.