The Leek Likho group uses artificial intelligence to modify Trojans and cyberattack tools against organizations in Russia, primarily from the public sector, according to a Kaspersky Lab report. Attackers use large language models to change scripts and names of malicious files for specific targets.
Leek Likho campaigns have remained active since 2025 due to constant changes in infrastructure and disguise methods. Attacks are based on social engineering, multi-stage downloads, and legitimate tools such as rclone.
Attackers gain access via Telegram, disguising malicious files as links to file-sharing services. Inside the archive is an LNK file with a double extension, for example, "Proekt_prikaza_681_o_pooshchrenii.pdf.lnk". When opened, an infection chain is launched, and data from the device is collected and sent to the attackers.
A separate shortcut file with a new name, slightly different from the previous one, is used for each target. Malicious tools receive new names similar to those of well-known applications. Scripts also vary, indicating the use of AI to generate malicious tools and increase the complexity of their detection. This complicates detection and reduces the effectiveness of protection.