AI-powered malware blurs lines between cybercrime and espionage

A previously unknown advanced persistent threat (APT) group is rewriting the rules of cyber espionage and cybercrime by weaponizing artificial intelligence to deploy malware that evades detection and complicates attribution. Dubbed Armored Likho by Kaspersky’s threat research team, the group—also tracked as Eagle Werewolf—runs parallel operations: financially motivated attacks on private individuals and targeted espionage against government agencies and electric power organizations in Russia, Kazakhstan, and Brazil. This dual focus is rare, as most APT groups typically specialize in one domain.
A modular toolkit built for stealth and adaptability
Armored Likho’s toolkit is modular and actively evolving, designed to maintain long-term control over compromised systems. The group deploys obfuscated remote access trojans (RATs), a newly documented Python-based infostealer called BusySnake Stealer, and Go2Tunnel for secure remote access and network tunneling. According to Kaspersky’s report, the malware stack is engineered to bypass dynamic analysis and adapt to each victim’s profile. This flexibility allows the group to exfiltrate sensitive data and deploy additional payloads dynamically, tailoring their attacks as they unfold.
Phishing with a twist: AI-generated loaders and decoys
The attack chain begins with spear-phishing emails that mimic official government notices, humanitarian aid applications, or psychological tests. Attached archives contain either executables or specially crafted LNK shortcut files exploiting the ZDI-CAN-25373 vulnerability. In both cases, a loader is injected into memory, downloading further components from GitHub repositories—including early development versions of the malware. The loader’s source code stands out for its verbose comments and emoji usage, a style Kaspersky notes is uncharacteristic of human-written malware and strongly suggests the use of large language models (LLMs) to generate malicious payloads.
Why it matters
The emergence of AI-generated malware marks a turning point in the cyber threat landscape, lowering the barrier to entry for sophisticated attacks while increasing the difficulty of attribution. For defenders, this means traditional indicators of compromise may no longer suffice, and behavioral analysis becomes critical. For governments and critical infrastructure operators in affected regions, the blend of financially driven and state-aligned operations raises the stakes, demanding faster detection and response capabilities to counter adversaries that can iterate and adapt at machine speed.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.

