LAMEHUG is the first known malware that integrates large language model (LLM) capabilities directly into its attack methodology, attributed with moderate confidence to APT28 targeting Ukrainian government officials. The malware uses the Qwen2.5-Coder-32B-Instruct LLM via Hugging Face API to dynamically generate and execute commands in real-time, demonstrating a proof-of-concept for AI-powered state-sponsored cyber operations. #LAMEHUG #APT28 #Qwen2.5-Coder
Keypoints
- LAMEHUG malware was discovered on July 10, 2025, targeting Ukrainian government officials via phishing emails containing ZIP attachments with PyInstaller-compiled Python executables.
- APT28 (Fancy Bear), linked to Russia’s GRU Unit 26165, is attributed with moderate confidence for the LAMEHUG campaign.
- The malware uniquely integrates the Qwen2.5-Coder-32B-Instruct large language model through the Hugging Face API to generate real-time attack commands based on encoded text prompts.
- Multiple variants of LAMEHUG exist with differing data exfiltration methods, including SFTP and HTTP POST, reflecting ongoing experimentation.
- Commands generated by the LLM enable extensive system reconnaissance, including hardware, network, user, group, and Active Directory enumeration.
- Analysis suggests the operation is a proof-of-concept test rather than a fully matured campaign, given simple code, transparent AI integration, and limited operational security.
- LAMEHUG challenges traditional cybersecurity detection as its dynamic commands and legitimate AI API traffic evade signature-based and some behavioral detection methods.
MITRE Techniques
- [T1566] Phishing – The malware was delivered via phishing emails impersonating Ukrainian ministry officials containing malicious ZIP archives (‘phishing emails impersonating Ukrainian ministry officials and containing ZIP archives’).
- [T1059] Command and Scripting Interpreter – LAMEHUG uses dynamically generated command sequences executed on the target system via cmd.exe (‘LLM responds with executable command sequences tailored to the requested objective’).
- [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs using HTTP POST and SFTP methods (‘HTTP POST upload logic’ and ‘SFTP upload logic’).
- [T1083] File and Directory Discovery – Commands generated collect files recursively from user Documents, Downloads, and Desktop folders (‘copy recursively different office and pdf/txt documents’).
- [T1082] System Information Discovery – The malware gathers extensive system and hardware information using systeminfo and wmic commands (‘gather computer information, hardware information’).
- [T1018] Remote System Discovery – Uses dsquery commands to enumerate Active Directory domain structure (‘dsquery user’, ‘dsquery group’, ‘dsquery site’).
- [T1598] Phishing for Information – Uses social engineering via decoy document and provocative image generation prompts to lure victims (‘provocative image generation prompt as a lure’).
Indicators of Compromise
- [File Hashes] LAMEHUG malware samples – Додаток.pif: SHA256 766c356d6a4b00078a0293460c5967764fcd788da8c1cd1df708695f3a15b777, AI_generator_uncensored_Canvas_PRO_v0.9.exe: SHA256 d6af1c9f5ce407e53ec73c8e7187ed804fb4f80cf8dbd6722fc69e15e135db2e, AI_image_generator_v0.95.exe: SHA256 bdb33bbb4ea11884b15f67e5c974136e6294aa87459cdc276ac2eea85b1deaa3.
- [IP Addresses] Command and control infrastructure – 144.126.202.227 (SFTP server for data exfiltration).
- [Domains] Exfiltration and hosting resources – stayathomeclasses.com and https://stayathomeclasses.com/slpw/up.php (exfiltration endpoint).
- [Email Addresses] Distribution vector – [email protected] (compromised email account used for phishing).
- [File Names] Malware variants – Додаток.pif (Attachment.pif), AI_generator_uncensored_Canvas_PRO_v0.9.exe, AI_image_generator_v0.95.exe, image.py.
Read more: https://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/