AI-Written Malware Narrates Itself — That's How You Catch It, We Said This Morning. Hours Later, Kaspersky Caught a Russian APT's AI-Generated Loader by Its Emoji and Verbose Comments.
- Patrick Duggan
- 11 minutes ago
- 4 min read
This morning we published JADEPUFFER — the first ransomware operation run end-to-end by an AI agent — and the single most useful line in that piece was not about the attack, it was about the defense: the AI-generated payload narrated its own reasoning, in prose, inside the code, and that self-narration is a detection surface that did not exist a year ago. We said the tell of AI-written attack code is that it cannot help but explain itself. That was published before lunch. By the afternoon, Kaspersky had proven the same thing against a target several tiers up the food chain from a criminal ransomware crew: a Russia-nexus nation-state APT.
What Kaspersky found
The actor is Armored Likho, which overlaps heavily with a cluster that BI.ZONE tracks as Eagle Werewolf, active since at least May 2023. The campaign pushes a Python infostealer called BusySnake at government agencies and electric-power operators in Russia, Kazakhstan, and Brazil, delivered by spear-phishing that abuses a patched Windows LNK vulnerability, CVE-2025-9491. That is a competent, targeted, state-aligned espionage operation — the kind of adversary that is supposed to be careful.
And here is the part that matters. Kaspersky assessed that Armored Likho's first-stage loader was generated by a large language model, and they said how they knew: verbose inline comments explaining what each block does, bullet-point emoji sprinkled through the source, and redundant, over-structured code blocks — the reflexive stylistic fingerprints of LLM output. A human malware author writing a first-stage loader strips comments to stay small and quiet. An AI, left on its defaults, documents the burglary in the margins as it commits it. The state actor used AI to move faster and, per Kaspersky, to muddy attribution — and the AI's own writing style became the thing that fingerprinted the loader.
The escalation ladder, filled in from both ends in a single day
Watch what happened across twelve hours. This morning's story was AI as the operator of a criminal attack — JADEPUFFER, an agent running ransomware for money. This afternoon's is AI as the author of a nation-state attack — Armored Likho, a state crew shipping AI-written malware for espionage. Different rung, same ladder, and the same detection principle catches both: AI-generated attack code is more legible than human-written attack code, not less. The whole fear about AI-enabled attacks is that they will be faster, cheaper, and harder to attribute — and CrowdStrike's 2026 report backs the volume, an 89 percent jump in AI-enabled attacks last year. But the dirty secret sitting inside that fear is that the thing making these attacks cheap to produce — a model that writes fluent, commented, self-explaining code — also makes them easy to spot, because fluent, commented, self-explaining code is not what malware has ever looked like.
We have been building toward this from the category level since we started hunting for AI adversaries in November, and the through-line of everything we have published this week — JADEPUFFER, GhostApproval, the ChocoPoC supply-chain traps — is the same: the AI is now on both sides of the attack, as target and as attacker, and the way you catch the attacker half is to stop looking only for known-bad bytes and start looking for known-AI behavior. Armored Likho is that argument with a Russian flag on it.
Why this is a gift, and why the gift has a clock on it
The defensive lesson is almost counterintuitive, so state it plainly: do not assume AI-written malware is more sophisticated. Assume it is more distinctive. The emoji, the tutorial-grade comments, the belt-and-suspenders redundancy — these are a stylometric signature, and stylometry is a detection modality that signature-based tools ignore entirely and behavioral tools are only starting to use. If your detection stack can flag "this compiled payload contains natural-language reasoning and bullet-point emoji," you have a tripwire for AI-authored code regardless of what the code does, and it fires on a criminal crew and a state APT alike.
The clock: this tell works precisely because the adversaries have not yet bothered to strip it. It is a default-output artifact, not a law of nature. The moment a serious actor adds a post-processing pass that deletes the comments and de-emojis the source — a five-line script — the fingerprint is gone. So the honest read is that this is a real, live, use-it-now detection surface with a shelf life, not a permanent win. Kaspersky caught Armored Likho because the operators were sloppy about their tooling's exhaust. The good ones will clean it up. Use the window while it is open.
The honest note
We did not find Armored Likho — this is Kaspersky's research, with the Eagle Werewolf overlap tracked by BI.ZONE, and the AI-attack-volume figure is CrowdStrike's; we credit all three. There are IOCs in their reporting worth pulling into a feed — the BusySnake stealer and the LNK delivery — and we will. What we bring is the placement and the timing: we argued this morning, about a criminal AI operation, that AI-written attack code betrays itself by narrating itself, and by the afternoon that exact detection method had bagged a nation-state loader. We hold this at 95 percent, and the five percent is the shelf life — the tell is a default artifact the good actors will eventually strip. But the deeper point survives the cleanup: the category of AI adversary is now real from petty crime to state espionage, and the first-generation ones are catchable because the machine that writes their code was trained to explain itself while it works.
Sources: Kaspersky research on Armored Likho / BusySnake Stealer and the LLM-generated loader (July 2026); BI.ZONE (Eagle Werewolf cluster); CrowdStrike 2026 Global Threat Report (AI-enabled attack volume); DugganUSA prior coverage — JADEPUFFER (2026-07-14), GhostApproval and ChocoPoC (2026-07-13/14), and "Looking For AI Adversaries" (November 2025) — queried directly.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
