July 3, 2026. Kaspersky publishes on Securelist a report on Armored Likho, a new APT. The Brazilian power grid appears on the confirmed target list, alongside Russia and Kazakhstan. No blackout. No sabotage. No official note from ONS, ANEEL, or CERT.br. We read the report and the signal is clear: the attacker came to map, not to destroy — and that is what makes the operation dangerous.
The APT that maps in silence
According to Kaspersky, Armored Likho is a new APT whose goal is not sabotage but long-term espionage. The Brazilian power grid appears on the confirmed target list alongside Russia and Kazakhstan. There was no blackout. No sabotage. No official note from ONS, ANEEL, or CERT.br.
The absence of impact is what distinguishes this operation. The attacker is not trying to interrupt the power supply — they are trying to understand the network, map credentials, establish persistent access, and wait. The barrier between mapping and sabotage is the IT layer that surrounds and isolates the OT network. As long as that barrier holds, mapping does not become a blackout. But whoever maps today can sabotage tomorrow.
BusySnake Stealer: Python 3.12, PyArmor Pro, and in-memory execution
According to Kaspersky, BusySnake Stealer is written in Python 3.12 and protected by PyArmor Pro 9.2.0. A new variant executes scripts in-memory without touching disk — a technique that evades detection by file-signature-based tools. The stealer steals credentials, sessions, crypto wallets, and 2FA secrets. Built-in reverse SSH tunneling maintains the communication channel with the attacker's infrastructure.
Persistence is the detail that reveals maturity. According to the report, the original variant created a scheduled task every 5 minutes via schtasks.exe. The new variant creates tasks via COM — a technique that avoids executing known binaries and complicates detection by EDRs that monitor child processes. Pure espionage, long-term access. The attacker does not want to take the network down — they want to stay in it.
The detail that changes the reading: LLM-generated code
According to Kaspersky, the first-stage loaders of Armored Likho show patterns of LLM-generated code: verbose comments, emojis instead of bullets, and atypical code structure. This is what Kaspersky describes as the first documented case of an APT using generative AI against critical infrastructure.
The reading that matters is not technical — it is strategic. The skill barrier to attack the power grid collapsed. Before, building an APT against critical infrastructure required a team, time, and specialized knowledge. Now, an operator with access to an LLM can generate functional loaders, evasion, and persistence. The cost of attack dropped. The number of potential attackers rose. The Brazilian power grid is on the list — and the list tends to grow.
The vector: spear-phishing before network engineering
According to Kaspersky, the entry vector is spear-phishing with attached ZIP and RAR. The lures vary: government notices, humanitarian aid requests, psychological tests. Two paths from there: an NSIS dropper that downloads Python 3.12 from GitHub, or an LNK file exploiting CVE-2025-9491 — a parameter hiding vulnerability mitigated by Microsoft in November 2025.
The attacker enters through social engineering before entering through network engineering. No zero-day in an OT protocol. No exploit in SCADA. The path is the human — the operator who opens the attachment, the analyst who clicks the fake government notice. Defense starts where the attack starts: at the endpoint, at the email, at behavior.
The power grid as an APT target is recurrent
The power grid as an APT target is not new. Ukraine 2015: Sandworm left 225,000 people without power. Industroyer 2016: the first modular malware designed for the grid. Triton 2017: the first documented attack on a Safety Instrumented System. Volt Typhoon 2024: pre-positioning in US critical infrastructure. In Brazil, Copel (DarkSide) and Eletronuclear in 2021 — OT networks intact, no nation-state attribution. Medium confidence.
The pattern is clear: mapping precedes sabotage. Whoever understands the network today can interrupt it tomorrow. Armored Likho is in the understanding phase. The defense window is now — while the attacker maps, not when they decide to act.
Defense requires detecting silence
Defense against an APT that maps in silence requires detecting what makes no noise. EDR with threat hunting identifies persistence and SSH tunnels before they become prolonged access. A 24/7 SOC shortens dwell time — APTs operate in the early morning hours, when the on-shift team is minimal. Zero Trust breaks the implicit trust the attacker exploits. IAM with least privilege limits blast radius if the attacker gets in. Red Team simulates the attacker's kill chain: spear-phishing, dropper, persistence, tunneling, espionage.
Tech86's Elite DeepTech brings Hard Tech and Hard Law. The IT layer that surrounds and isolates the OT network separates mapping from sabotage. We help power grid companies detect silence before it becomes a blackout.
Conclusion: the absence of impact is the presence of intention
We repeat: the absence of impact is the presence of intention. Whoever maps, waits. Armored Likho caused no blackout — and that is exactly why it is dangerous. The attacker is inside, mapping, collecting, persisting. The defense window is the interval between mapping and the decision to act. If defense waits for the blackout, it is already too late.
At Tech86, we help critical infrastructure companies detect silence — before it becomes noise.