Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Ai-Generated Malware Sparks Concerns Over Sophisticated APT Campaign



A new APT campaign has been uncovered, leveraging AI-generated malware to target governments and power grids in Russia, Kazakhstan, and Brazil. The Armored Likho APT group employs a diverse toolkit of modular and obfuscated components, including BusySnake Stealer and Go2Tunnel. With the campaign remaining active at the time of publication, cybersecurity experts have raised concerns over the sophistication and potential impact of this threat.

  • The Armored Likho APT group has launched targeted attacks against government and power grid agencies in Russia, Kazakhstan, and Brazil using AI-generated malware.
  • The toolkit used by Armored Likho features modular and obfuscated components, including RATs and an infostealer called BusySnake Stealer.
  • The attackers use simpler tools like Go2Tunnel for remote access and leverage PowerShell to execute downloadable modules.
  • Kaspersky attributes the campaign to Armored Likho with medium confidence, citing structural overlaps between malware families.
  • The attacks remain active, targeting confirmed victims in critical sectors such as government and electric power infrastructure.



  • The cybersecurity landscape has recently witnessed an alarming development, as a novel Advanced Persistent Threat (APT) group known as Armored Likho, utilizing AI-generated malware, has launched a series of targeted attacks against government and power grid agencies in Russia, Kazakhstan, and Brazil. Kaspersky's threat research team identified the APT group, also tracked under the name Eagle Werewolf, due to its unique approach of combining financially motivated attacks with state-sponsored espionage efforts.

    The toolkit employed by Armored Likho features a diverse array of modular and obfuscated components, including RATs (Remote Access Trojans) and an infostealer called BusySnake Stealer. The latter, protected with PyArmor Pro 9.2.0, runs silently with no console window and possesses an extended set of persistent background tasks that monitor clipboard content, build a local SQLite database of the file system, and forward sensitive information to C2 servers.

    The attackers leverage simpler tools like Go2Tunnel for remote access and network tunneling, in addition to leveraging PowerShell to execute downloadable modules. The malware's source code contains verbose comments and bullet-point emojis, which are highly uncharacteristic of human-developed malware, suggesting the group's reliance on Artificial Intelligence (AI) for payload generation.

    In its report, Kaspersky attributes the campaign to Armored Likho with medium confidence, citing structural overlaps between BusySnake Stealer and previously utilized AquilaRAT. The reverse tunneling connection is equally specific, as both malware families receive tunnel establishment commands and SSH private keys from C2 servers.

    The campaign remains active at the time of publication, targeting confirmed victims in Russia, Kazakhstan, and Brazil, with a focus on government and electric power infrastructure. Confirmed victims have included Ukrainian artillery units, according to Kaspersky's report, suggesting that the group may be seeking to exploit vulnerabilities in critical sectors.




    Related Information:
  • https://www.ethicalhackingnews.com/articles/Ai-Generated-Malware-Sparks-Concerns-Over-Sophisticated-APT-Campaign-ehn.shtml

  • https://securityaffairs.com/194854/apt/ai-generated-malware-powers-new-armored-likho-apt-campaign.html

  • https://www.ibtimes.sg/ai-powered-armored-likho-hackers-target-governments-power-sector-global-cyber-campaign-89067


  • Published: Tue Jul 7 04:32:30 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us