Librarian Likho Develops Its Own Malware with AI Assistance

Kaspersky Lab has detected a new wave of targeted cyberattacks by the Librarian Likho group—previously known as Librarian Ghouls—against organizations in Russia’s aviation and radio industries.
For the first time, the threat actors are using custom-built malware to steal confidential information malware that researchers say was developed with the help of artificial intelligence.

From Opportunistic Attacks to AI-Crafted Tools

Active since at least 2023, Librarian Likho has traditionally carried out targeted but relatively low-complexity attacks against entities in Russia and the CIS. Initially grouped under Kaspersky’s Ghouls cluster, the actors were not linked to espionage campaigns.
That changed in 2025, when investigators noticed the group shifting focus toward stealing engineering and design files particularly those tied to automated design systems (CAD).

Kaspersky analysts say the ongoing campaign began in September 2025 and marks a turning point in the group’s technical evolution.

Classic Phishing, New Payload

For initial access, the attackers relied on familiar phishing tactics. They sent targeted emails containing password-protected archives disguised as official correspondence such as payment orders, commercial offers, or work completion certificates.
Once a recipient entered the provided password and executed the file inside, a custom data-stealer (“grabber”) launched on the infected machine.

The grabber enumerates all user profiles on the system and collects files with extensions .doc, .docx, .pdf, .txt, .xls, and .xlsx from the Desktop, Downloads, and Documents directories. It then compresses the data into an archive and sends it directly to an attacker-controlled email address.

AI Fingerprints in the Code

Kaspersky’s analysis found clear traces of AI-generated code in the new malware.
The researchers discovered numerous debug comments and syntactic patterns consistent with code written using an AI coding assistant—evidence that the attackers leveraged automated tools to build or refine the grabber.

“A distinctive feature of Librarian Likho has been its use of third-party malware,” said Oleg Kupreev, cybersecurity expert at Kaspersky Lab. “However, this time the attackers developed their own tools. Everything indicates that these were created with AI assistance. We confirmed this by examining leftover debug comments that were never removed from the source.”

Broader Trend: AI in Cyber Offense

The emergence of AI-authored malicious code in active campaigns adds to growing evidence that threat actors are incorporating generative AI into their toolchains.
While Librarian Likho’s campaign appears limited to Russian and CIS targets for now, its adoption of AI-driven malware development signals an alarming shift—one where even mid-tier groups can accelerate weapon development using publicly available AI model