Armored Likho APT Deploys AI-Generated Loaders in Targeted Attacks

A sophisticated cyber-espionage campaign has been identified, targeting government agencies and electrical power organizations across Russia, Brazil, and Kazakhstan. The threat actor, known as Armored Likho, employs AI-generated loaders to deploy a newly discovered malware named BusySnake Stealer, posing significant risks to sensitive data and critical infrastructure.

The attack initiates through spear-phishing emails that mimic official communications, such as government notices or humanitarian aid requests. These emails contain archive attachments with malicious executables or Windows shortcut files. When opened, these attachments trigger a multi-stage infection process while displaying decoy content to divert the victim’s attention from the ongoing compromise.

BusySnake Stealer is designed to exfiltrate a wide range of data, including browser credentials, cookies, clipboard information, local documents, screenshots, cryptocurrency-related data, and Telegram session files. Additionally, it can receive commands from its operators, enabling prolonged surveillance and data theft beyond the initial phishing attack.

AI-Generated Loaders Enhance Evasion

In one infection scenario, the victim accesses an archive containing a file disguised as a psychological test. Executing this file launches a fake survey while simultaneously injecting malicious code into another process and retrieving additional payloads from online repositories. These files are then unpacked into the user’s AppData directory, allowing the attack to proceed stealthily.

Another method involves a malicious LNK shortcut that obfuscates its command-line activity using spaces and line breaks. This shortcut initiates an obfuscated command and PowerShell process to download a loader, Python components, and the BusySnake payload. A decoy document may open during this process to maintain the appearance of legitimacy.

Researchers have observed that the loaders’ source code contains unusually verbose comments and bullet-point emojis, characteristics uncommon in malware developed solely by humans. This suggests that the attackers utilized large language models to generate these first-stage tools, enabling them to vary their delivery code and complicate attribution efforts.

Advanced Persistence and Data Exfiltration

BusySnake employs code obfuscation and encryption techniques, decrypting functions only when necessary. It operates without displaying a visible console window and uses scheduled tasks to maintain persistence. Recent samples have shown that the malware creates scheduled tasks through Windows component interfaces instead of directly invoking standard task commands, a tactic aimed at reducing detection.

Upon execution, BusySnake inventories files, monitors the clipboard, and captures screenshots. It also targets cryptocurrency-related data and Telegram session files, indicating a focus on both financial gain and intelligence gathering.

The use of AI-generated loaders in this campaign highlights a concerning trend in cyber-espionage tactics. By leveraging artificial intelligence, threat actors can rapidly develop and deploy sophisticated malware, making detection and attribution more challenging. Organizations, especially those in the public sector and critical infrastructure, must enhance their cybersecurity measures to defend against these evolving threats.