Pular para o conteúdo principal
Close
Security

Armored Likho: New APT Maps the Brazilian Power Grid With Generative AI

Gabriel Ferraresi· CEO | Tech86July 13, 20264 min
securityaptpower-gridarmored-likhobusysnakethreat-huntingllmcritical-infrastructure

July 3, 2026. Kaspersky publishes on Securelist a report on Armored Likho, a new APT. The Brazilian power grid appears on the confirmed target list, alongside Russia and Kazakhstan. No blackout. No sabotage. No official note from ONS, ANEEL, or CERT.br. We read the report and the signal is clear: the attacker came to map, not to destroy — and that is what makes the operation dangerous.

The APT that maps in silence

According to Kaspersky, Armored Likho is a new APT whose goal is not sabotage but long-term espionage. The Brazilian power grid appears on the confirmed target list alongside Russia and Kazakhstan. There was no blackout. No sabotage. No official note from ONS, ANEEL, or CERT.br.

The absence of impact is what distinguishes this operation. The attacker is not trying to interrupt the power supply — they are trying to understand the network, map credentials, establish persistent access, and wait. The barrier between mapping and sabotage is the IT layer that surrounds and isolates the OT network. As long as that barrier holds, mapping does not become a blackout. But whoever maps today can sabotage tomorrow.

BusySnake Stealer: Python 3.12, PyArmor Pro, and in-memory execution

According to Kaspersky, BusySnake Stealer is written in Python 3.12 and protected by PyArmor Pro 9.2.0. A new variant executes scripts in-memory without touching disk — a technique that evades detection by file-signature-based tools. The stealer steals credentials, sessions, crypto wallets, and 2FA secrets. Built-in reverse SSH tunneling maintains the communication channel with the attacker's infrastructure.

Persistence is the detail that reveals maturity. According to the report, the original variant created a scheduled task every 5 minutes via schtasks.exe. The new variant creates tasks via COM — a technique that avoids executing known binaries and complicates detection by EDRs that monitor child processes. Pure espionage, long-term access. The attacker does not want to take the network down — they want to stay in it.

The detail that changes the reading: LLM-generated code

According to Kaspersky, the first-stage loaders of Armored Likho show patterns of LLM-generated code: verbose comments, emojis instead of bullets, and atypical code structure. This is what Kaspersky describes as the first documented case of an APT using generative AI against critical infrastructure.

The reading that matters is not technical — it is strategic. The skill barrier to attack the power grid collapsed. Before, building an APT against critical infrastructure required a team, time, and specialized knowledge. Now, an operator with access to an LLM can generate functional loaders, evasion, and persistence. The cost of attack dropped. The number of potential attackers rose. The Brazilian power grid is on the list — and the list tends to grow.

The vector: spear-phishing before network engineering

According to Kaspersky, the entry vector is spear-phishing with attached ZIP and RAR. The lures vary: government notices, humanitarian aid requests, psychological tests. Two paths from there: an NSIS dropper that downloads Python 3.12 from GitHub, or an LNK file exploiting CVE-2025-9491 — a parameter hiding vulnerability mitigated by Microsoft in November 2025.

The attacker enters through social engineering before entering through network engineering. No zero-day in an OT protocol. No exploit in SCADA. The path is the human — the operator who opens the attachment, the analyst who clicks the fake government notice. Defense starts where the attack starts: at the endpoint, at the email, at behavior.

The power grid as an APT target is recurrent

The power grid as an APT target is not new. Ukraine 2015: Sandworm left 225,000 people without power. Industroyer 2016: the first modular malware designed for the grid. Triton 2017: the first documented attack on a Safety Instrumented System. Volt Typhoon 2024: pre-positioning in US critical infrastructure. In Brazil, Copel (DarkSide) and Eletronuclear in 2021 — OT networks intact, no nation-state attribution. Medium confidence.

The pattern is clear: mapping precedes sabotage. Whoever understands the network today can interrupt it tomorrow. Armored Likho is in the understanding phase. The defense window is now — while the attacker maps, not when they decide to act.

Defense requires detecting silence

Defense against an APT that maps in silence requires detecting what makes no noise. EDR with threat hunting identifies persistence and SSH tunnels before they become prolonged access. A 24/7 SOC shortens dwell time — APTs operate in the early morning hours, when the on-shift team is minimal. Zero Trust breaks the implicit trust the attacker exploits. IAM with least privilege limits blast radius if the attacker gets in. Red Team simulates the attacker's kill chain: spear-phishing, dropper, persistence, tunneling, espionage.

Tech86's Elite DeepTech brings Hard Tech and Hard Law. The IT layer that surrounds and isolates the OT network separates mapping from sabotage. We help power grid companies detect silence before it becomes a blackout.

Conclusion: the absence of impact is the presence of intention

We repeat: the absence of impact is the presence of intention. Whoever maps, waits. Armored Likho caused no blackout — and that is exactly why it is dangerous. The attacker is inside, mapping, collecting, persisting. The defense window is the interval between mapping and the decision to act. If defense waits for the blackout, it is already too late.

At Tech86, we help critical infrastructure companies detect silence — before it becomes noise.

blog.cta_consulting_title

blog.cta_consulting_subtitle

Critical Infrastructure Defense and Threat Hunting

Frequently Asked Questions

According to Kaspersky, Armored Likho is a new APT described in a report published on Securelist on July 3, 2026. The Brazilian power grid appears on the confirmed target list alongside Russia and Kazakhstan. There was no blackout, no sabotage, and no official note from ONS, ANEEL, or CERT.br. The attacker's goal is to map — long-term espionage, not immediate destruction.

According to Kaspersky, the first-stage loaders show patterns of LLM-generated code: verbose comments, emojis instead of bullets, and atypical code structure. This is what Kaspersky describes as the first documented case of an APT using generative AI against critical infrastructure. The skill barrier to attack the power grid collapsed — an operator with access to an LLM can generate functional loaders.

According to Kaspersky, BusySnake Stealer is written in Python 3.12 with PyArmor Pro 9.2.0. A new variant executes scripts in-memory without touching disk. It steals credentials, sessions, crypto wallets, and 2FA secrets. Persistence uses a scheduled task every 5 minutes — the new variant creates tasks via COM instead of schtasks.exe, evading detection by EDRs that monitor child processes. Built-in reverse SSH tunneling maintains the channel with the attacker.

The absence of impact is the presence of intention. Whoever maps, waits. Armored Likho caused no blackout — and that is exactly why it is dangerous. The attacker is inside, mapping credentials, sessions, and network topology. The defense window is the interval between mapping and the decision to act. The power grid as an APT target is recurrent: Ukraine 2015 (Sandworm), Industroyer 2016, Triton 2017, Volt Typhoon 2024. Mapping precedes sabotage.

Defense requires detecting silence. EDR with threat hunting identifies persistence and SSH tunnels before they become prolonged access. A 24/7 SOC shortens dwell time — APTs operate in the early morning hours. Zero Trust breaks implicit trust. IAM with least privilege limits blast radius. The IT layer that surrounds and isolates the OT network separates mapping from sabotage. Red Team simulates the attacker's kill chain. Tech86's Elite DeepTech brings Hard Tech and Hard Law to defend critical infrastructure.

Blog — Get in Touch

Have a question about our articles or services? Our team is ready to help.

Schedule a Meeting

Book a time slot.

Schedule Now

Email

Send us a message.

[email protected]

WhatsApp

Quick conversation.

Address

Avenida Paulista, 1636 - São Paulo - SP - 01310-200

Tech86 Specialist

Online now

Hello! How can we help scale your business today?

Tech86 Engineering

We Value Your Privacy

We use cookies and similar technologies to optimize your experience, analyze site traffic, and personalize content. By clicking "Accept All", you agree to the use of all cookies. Read our Privacy Policy.