Return to Threats

Armored Likho APT Targeting Government, Electric Power Entities

securityweek.com 2026-07-06 malicious AI use Critical

What Happened

The threat actor uses modular RATs and information stealers in financially motivated and cyber espionage campaigns. The post Armored Likho APT Targeting Government, Electric Power Entities appeared first on SecurityWeek .

Why It Matters

The article reports on Armored Likho, a newly documented APT group conducting cyber-espionage and financially motivated attacks against government agencies and electric power entities, using obfuscated, modular RATs and information stealers engineered to evade dynamic analysis.[2][1] Kaspersky’s analysis highlights spear-phishing, GitHub-hosted payloads, and advanced evasion techniques as part of their toolset.[2][1] From a RealGround perspective, such campaigns illustrate malicious use of increasingly sophisticated tooling and tradecraft that can be augmented by AI for phishing customization, malware obfuscation, and large-scale credential theft, which poses a significant threat to any AI-enabled operational environment. Organizations should test their AI-powered and traditional security controls against similar APT-style tactics via continuous red teaming to validate detection, containment, and response to modular, evasive malware and credential-stealing campaigns.

Healthcare Fintech SaaS SMB AI startups

RealGround Analysis

This signal maps to malicious AI use. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.

Recommended Actions

  • Restrict AI agent tool permissions and production write paths.
  • Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
  • Add human approval workflows for high-impact or state-changing actions.
  • Run prompt injection and indirect prompt injection tests against affected workflows.
  • Document the owner, control gap, and remediation deadline for this risk class.

Source

https://www.securityweek.com/armored-likho-apt-targeting-government-electric-power-entities/

Talk to AI CISO